c8h4/nixos-config
1
0
Fork 0
Code Issues Actions Activity

tree-wide: convert everything from morph to nixinate + sops-nix

Browse source 
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
This commit is contained in:
Christoph Heiss 2024-05-07 01:00:09 +02:00
parent 17b2602c2a
commit 320b97d660
Signed by: c8h4
GPG key ID: 73D5E7FDEE3DE49A
84 changed files with 1198 additions and 342 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.prettierignore Normal file
View file

@ -0,0 +1 @@
secrets/sops/**

35
.sops.yaml Normal file
View file

@ -0,0 +1,35 @@
---
keys:
- &christoph_trek age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
- &christoph_zero age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
# generate with: `ssh <machine> 'sudo cat /etc/ssh/ssh_host_ed25519_key.pub' | nix run nixpkgs#ssh-to-age`
- &machine_tank age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
- &machine_fort age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
- &machine_zero age1xdd0mzt7mhr30rzvt34ygxurlvdvs53svg7lxd6843lx83vy0guqew578d
creation_rules:
- path_regex: secrets/sops/(acme|restic)\.yaml
key_groups:
- age:
- *christoph_trek
- *christoph_zero
- *machine_tank
- *machine_fort
- path_regex: secrets/sops/(grafana|home-assistant|navidrome|sourcehut|tank|vaultwarden)\.yaml
key_groups:
- age:
- *christoph_trek
- *christoph_zero
- *machine_tank
- path_regex: secrets/sops/(alertmanager|fort|matrix-hookshot|wireguard)\.yaml
key_groups:
- age:
- *christoph_trek
- *christoph_zero
- *machine_fort
- path_regex: secrets/sops/zero\.yaml
key_groups:
- age:
- *christoph_trek
- *christoph_zero
- *machine_zero

10
README.md
View file

@ -30,14 +30,6 @@
- `system/home-manager`: home-manager configuration.
### Notable files
- `default.nix`: Morph deployment definitions
- `flake.nix`: Nix development shell definition
- `sources.nix`: Contains all Nix package/module source definitions
## Hacking
`nix develop` will provide an ephemeral shell with all tools needed.
@ -48,4 +40,4 @@ The code is released into the public domain.
Other conditions apply to the following files:
- `extra/sway/background.png`: [Photo](https://unsplash.com/photos/wQLAGv4_OYs) by [Lucas Kapla](https://unsplash.com/@aznbokchoy), [Unsplash License](https://unsplash.com/license)
- `pkgs/sway-background-image/background.jpg`: [Photo](https://unsplash.com/photos/wQLAGv4_OYs) by [Lucas Kapla](https://unsplash.com/@aznbokchoy), [Unsplash License](https://unsplash.com/license)

42
default.nix
View file

@ -1,42 +0,0 @@
let
inherit (import ./sources.nix) defaultPkgs overlays;
pkgs = import defaultPkgs { inherit overlays; };
inherit (pkgs) lib;
mkMachine = name:
{ tags, pkgs ? null }:
{ config, ... }: {
_module.args = {
machineName = "${name}.c8h4.io";
my = import ./secrets/my.nix;
inherit (config.deployment) secrets;
};
imports = [ (./machines + "/${name}.nix") ./modules ];
nixpkgs.pkgs = lib.mkIf (pkgs != null) pkgs;
deployment = {
substituteOnDestination = true;
inherit tags;
};
};
machines = {
back = { tags = [ "external" "server" "baremetal" ]; };
fort = { tags = [ "external" "server" "vm" ]; };
tank = {
tags = [ "homelab" "server" "baremetal" ];
pkgs = import defaultPkgs {
inherit overlays;
# https://nixos.wiki/wiki/Home-assistant#OpenSSL_1.1_is_marked_as_insecure.2C_refusing_to_evaluate
config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
};
};
trek = { tags = [ "desktop" ]; };
zero = { tags = [ "desktop" ]; };
};
in {
network = {
inherit pkgs;
description = "c8h4.io infrastructure";
};
} // (builtins.mapAttrs mkMachine machines)

188
flake.lock
View file

@ -1,5 +1,37 @@
{
"nodes": {
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
@ -65,6 +97,43 @@
"type": "github"
}
},
"nixinate": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1708891350,
"narHash": "sha256-VOQrKK7Df/IVuNki+NshVuGkTa/Tw0GigPjWcZff6kk=",
"owner": "MatthewCroughan",
"repo": "nixinate",
"rev": "452f33c60df5b72ad0858f5f2cf224bdf1f17746",
"type": "github"
},
"original": {
"owner": "MatthewCroughan",
"repo": "nixinate",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1714465198,
"narHash": "sha256-ySkEJvS0gPz2UhXm0H3P181T8fUxvDVcoUyGn0Kc5AI=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "68d680c1b7c0e67a9b2144d6776583ee83664ef4",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "refs/heads/master",
"repo": "nixos-hardware",
"rev": "68d680c1b7c0e67a9b2144d6776583ee83664ef4",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1714514312,
@ -82,15 +151,119 @@
"type": "github"
}
},
"nixpkgs-22_11": {
"locked": {
"lastModified": 1669558522,
"narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-22.11",
"type": "indirect"
}
},
"nixpkgs-23_05": {
"locked": {
"lastModified": 1684782344,
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs-sourcehut": {
"locked": {
"lastModified": 1712771850,
"narHash": "sha256-Wb/xWLVSi5rZCRna2IUs43NVdquTlaQ/YNyx2IU79SQ=",
"owner": "christoph-heiss",
"repo": "nixpkgs",
"rev": "6729c6c653f17a5f9f1dcf5439d3e98652406042",
"type": "github"
},
"original": {
"owner": "christoph-heiss",
"ref": "refs/heads/sourcehut-fix",
"repo": "nixpkgs",
"rev": "6729c6c653f17a5f9f1dcf5439d3e98652406042",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"nixgl": "nixgl",
"nixinate": "nixinate",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-sourcehut": "nixpkgs-sourcehut",
"simple-nixos-mailserver": "simple-nixos-mailserver",
"sops-nix": "sops-nix",
"treefmt-nix": "treefmt-nix"
}
},
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-22_11": "nixpkgs-22_11",
"nixpkgs-23_05": "nixpkgs-23_05",
"utils": "utils"
},
"locked": {
"lastModified": 1689976554,
"narHash": "sha256-uWJq3sIhkqfzPmfB2RWd5XFVooGFfSuJH9ER/r302xQ=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "c63f6e7b053c18325194ff0e274dba44e8d2271e",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "refs/heads/master",
"repo": "nixos-mailserver",
"rev": "c63f6e7b053c18325194ff0e274dba44e8d2271e",
"type": "gitlab"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1713668495,
"narHash": "sha256-4BvlfPfyUmB1U0r/oOF6jGEW/pG59c5yv6PJwgucTNM=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "09f1bc8ba3277c0f052f7887ec92721501541938",
"type": "github"
},
"original": {
"owner": "Mic92",
"ref": "refs/heads/master",
"repo": "sops-nix",
"rev": "09f1bc8ba3277c0f052f7887ec92721501541938",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@ -125,6 +298,21 @@
"repo": "treefmt-nix",
"type": "github"
}
},
"utils": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

166
flake.nix
View file

@ -17,6 +17,28 @@
rev = "2b87a11125f988a9f67ee63eeaa3682bc841d9b5"; # 06-05-2024
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-hardware = {
type = "github";
owner = "NixOS";
repo = "nixos-hardware";
ref = "refs/heads/master";
rev = "68d680c1b7c0e67a9b2144d6776583ee83664ef4"; # 30-04-2024
};
nixpkgs-sourcehut = {
type = "github";
owner = "christoph-heiss";
repo = "nixpkgs";
ref = "refs/heads/sourcehut-fix";
rev = "6729c6c653f17a5f9f1dcf5439d3e98652406042";
};
simple-nixos-mailserver = {
type = "gitlab";
owner = "simple-nixos-mailserver";
repo = "nixos-mailserver";
ref = "refs/heads/master";
rev = "c63f6e7b053c18325194ff0e274dba44e8d2271e"; # 21-07-2023
inputs.nixpkgs.follows = "nixpkgs";
};
nixgl = {
type = "github";
owner = "guibou";
@ -31,10 +53,24 @@
url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixinate = {
url = "github:MatthewCroughan/nixinate";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix = {
type = "github";
owner = "Mic92";
repo = "sops-nix";
ref = "refs/heads/master";
rev = "09f1bc8ba3277c0f052f7887ec92721501541938"; # 21-04-2024
inputs.nixpkgs.follows = "nixpkgs";
inputs.nixpkgs-stable.follows = "nixpkgs";
};
};
outputs =
{ self, nixpkgs, home-manager, nixgl, flake-utils, treefmt-nix, ... }:
outputs = { self, nixpkgs, home-manager, nixos-hardware, nixpkgs-sourcehut
, simple-nixos-mailserver, nixgl, flake-utils, treefmt-nix, nixinate
, sops-nix }:
flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" ] (system:
let
pkgs = import nixpkgs { inherit system; };
@ -43,69 +79,23 @@
treefmt = treefmt-nix.lib.evalModule pkgs {
projectRootFile = "flake.nix";
programs = {
nixfmt.enable = true;
stylua.enable = true;
statix.enable = true;
deadnix.enable = true;
nixfmt.enable = true;
prettier.enable = true;
shellcheck.enable = true;
statix.enable = true;
stylua.enable = true;
};
};
mkMorphDeploy = selector: name:
pkgs.writeShellScript "deploy-${selector}-${name}" ''
set -x
${pkgs.morph}/bin/morph deploy --show-trace --passwd --${selector} "${name}" ./default.nix switch
'';
mkMorphBuild = selector: name:
pkgs.writeShellScript "build-${selector}-${name}" ''
set -x
${pkgs.morph}/bin/morph build --show-trace --${selector} "${name}" ./default.nix
'';
mkMorphUploadSecrets = selector: name:
pkgs.writeShellScript "deploy-${selector}-${name}" ''
set -x
${pkgs.morph}/bin/morph upload-secrets --show-trace --passwd --${selector} "${name}" ./default.nix
'';
mkHomeManagerFlake = name:
pkgs.writeShellScript "hm-flake-${name}" ''
set -x
${pkgs.home-manager}/bin/home-manager switch --flake .#${name} -b bak
'';
machines = [ "back" "fort" "tank" "trek" "zero" ];
tags = [ "baremetal" "desktop" "external" "homelab" "server" "vm" ];
in {
apps = (builtins.listToAttrs (map (name: {
inherit name;
value = {
type = "app";
program = "${mkMorphDeploy "on" name}";
};
}) machines)) // {
tags = builtins.listToAttrs (map (name: {
inherit name;
value = {
type = "app";
program = "${mkMorphDeploy "tagged" name}";
};
}) tags);
build = builtins.listToAttrs (map (name: {
inherit name;
value = {
type = "app";
program = "${mkMorphBuild "on" name}";
};
}) machines);
upload-secrets = builtins.listToAttrs (map (name: {
inherit name;
value = {
type = "app";
program = "${mkMorphUploadSecrets "on" name}";
};
}) machines);
apps = (nixinate.nixinate.${system} self).nixinate // {
maui = {
type = "app";
program = "${mkHomeManagerFlake "maui"}";
@ -119,9 +109,70 @@
formatter = treefmt.config.build.wrapper;
devShells.default =
pkgs.mkShell { inputsFrom = [ treefmt.config.build.devShell ]; };
}) // (let inherit (import ./sources.nix) overlays;
devShells.default = pkgs.mkShell {
inputsFrom = [ treefmt.config.build.devShell ];
nativeBuildInputs = with pkgs; [ age sops ];
};
}) // (let
overlays = [
(import ./pkgs)
(self: super: {
vimPlugins = super.vimPlugins
// (import ./pkgs/vim-plugins.nix self super);
})
(_: super: {
inherit (import nixpkgs-sourcehut { inherit (super) system; })
sourcehut;
})
];
machines = {
back = { };
fort = { };
tank.extraModules = [{
disabledModules = [ "services/misc/sourcehut" ];
imports =
[ "${nixpkgs-sourcehut}/nixos/modules/services/misc/sourcehut" ];
}];
trek.extraModules =
[ nixos-hardware.nixosModules.framework-12th-gen-intel ];
zero = { };
};
mkSystem = name:
{ extraModules ? [ ], system ? "x86_64-linux" }:
nixpkgs.lib.nixosSystem {
inherit system;
modules = [
sops-nix.nixosModules.sops
simple-nixos-mailserver.nixosModules.mailserver
{ nixpkgs = { inherit overlays; }; }
home-manager.nixosModules.home-manager
{
home-manager.useUserPackages = true;
home-manager.useGlobalPkgs = true;
}
# who doesn't love a bit of composability
({ config, ... }: {
_module.args = {
inherit (config.sops) secrets;
my = import ./secrets/my.nix;
nixinate = {
host = name;
sshUser = "christoph";
buildOn = "local";
substituteOnTarget = true;
};
};
imports = [ (./machines + "/${name}.nix") ];
networking.hostName = name;
sops.age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
})
] ++ (builtins.attrValues self.nixosModules) ++ extraModules;
};
in {
homeConfigurations.maui = home-manager.lib.homeManagerConfiguration {
pkgs = import nixpkgs {
@ -131,5 +182,8 @@
modules = [ ./machines/maui.nix ];
};
nixosConfigurations = builtins.mapAttrs mkSystem machines;
nixosModules = import ./modules;
});
}

23
machines/fort.nix
View file

@ -19,16 +19,13 @@ let
in {
imports = [
../secrets/machines/fort.nix
../secrets/morph/acme.nix
../secrets/morph/matrix.nix
../secrets/morph/restic.nix
../secrets/morph/wireguard
../services/alertmanager.nix
../services/conduit.nix
../services/fail2ban.nix
../services/matrix-hookshot.nix
../services/nginx.nix
../services/node-exporter.nix
../services/restic-client.nix
../services/web/c8h4-io.nix
../system/virtual-machine.nix
];
@ -73,26 +70,12 @@ in {
environment.systemPackages = with pkgs; [ wireguard-tools ];
networking.hosts = my.homelab.hosts;
networking.firewall.allowedUDPPorts = with my.wireguard.netdevs; [
c8h4.wireguardConfig.ListenPort
airlab.wireguardConfig.ListenPort
];
networking.useDHCP = false;
systemd.network = {
enable = true;
networks = {
"10-wan" = hetznerWanNetwork // {
address = [ "128.140.95.112/32" "2a01:4f8:c17:6f57::1/64" ];
};
"40-wg-c8h4" = my.wireguard.networks.c8h4;
"41-wg-airlab" = my.wireguard.networks.airlab;
};
netdevs = {
"40-wg-c8h4" = my.wireguard.netdevs.c8h4;
"41-wg-airlab" = my.wireguard.netdevs.airlab;
networks."10-wan" = hetznerWanNetwork // {
address = [ "128.140.95.112/32" "2a01:4f8:c17:6f57::1/64" ];
};
};
}

9
machines/tank.nix
View file

@ -3,10 +3,6 @@
{
imports = [
../secrets/machines/tank.nix
../secrets/morph/acme.nix
../secrets/morph/home-assistant.nix
../secrets/morph/restic.nix
../secrets/morph/sourcehut
../services/grafana.nix
../services/home-assistant.nix
../services/navidrome.nix
@ -15,9 +11,10 @@
../services/paperless.nix
../services/postgresql.nix
../services/prometheus.nix
../services/restic-client.nix
../services/sourcehut.nix
../services/vaultwarden.nix
../services/tt-rss.nix
../services/vaultwarden.nix
../system/baremetal-server.nix
../system/ucode-amd.nix
../system/zfs.nix
@ -85,6 +82,8 @@
powerManagement.cpuFreqGovernor = "powersave";
networking.nat.externalInterface = "enp4s0";
services.dashboard-icons = {
enable = true;
virtualHost = {

7
machines/trek.nix
View file

@ -1,12 +1,7 @@
{ pkgs, ... }:
let
nixosHardwareCommit = "a6aa8174fa61e55bd7e62d35464d3092aefe0421";
nixosHardware = fetchTarball
"https://github.com/NixOS/nixos-hardware/archive/${nixosHardwareCommit}.zip";
in {
{
imports = [
"${nixosHardware}/framework/12th-gen-intel"
../system/bluetooth.nix
../system/desktop.nix
../system/laptop.nix

1
machines/zero.nix
View file

@ -2,6 +2,7 @@
{
imports = [
../secrets/machines/zero.nix
../system/automation-target.nix
../system/desktop.nix
../system/ucode-amd.nix

12
modules/default.nix
View file

@ -1,9 +1,7 @@
{
imports = [
./services/dashboard-icons.nix
./services/filebrowser.nix
./services/homer.nix
./services/matrix-hookshot.nix
./services/nextcloud.nix
];
dashboard-icons = import ./services/dashboard-icons.nix;
filebrowser = import ./services/filebrowser.nix;
homer = import ./services/homer.nix;
matrix-hookshot = import ./services/matrix-hookshot.nix;
nextcloud = import ./services/nextcloud.nix;
}

53
modules/services/nextcloud.nix
View file

@ -5,8 +5,8 @@ let
cfg = config.my.services.nextcloud;
defineContainer = { name, package, hostName, port, hostAddress, localAddress
, adminUser, dataPath, dbName, settings, ... }: {
defineContainer = { package, hostName, port, hostAddress, localAddress
, adminUser, dataPath, dbName, adminpassFile, secretFile, settings, ... }: {
autoStart = true;
privateNetwork = true;
@ -23,16 +23,20 @@ let
hostPath = dataPath;
isReadOnly = false;
};
"/secrets".hostPath = "/var/secrets/nextcloud/${name}";
};
extraFlags = [
"--load-credential=adminpass:${adminpassFile}"
"--load-credential=secretfile:${secretFile}"
];
config = { lib, ... }: {
services.nextcloud = {
enable = true;
inherit hostName package;
autoUpdateApps.enable = true;
maxUploadSize = "4G";
secretFile = "/secrets/secrets.json";
secretFile = "/run/secrets/secretfile";
datadir = "/data";
caching.redis = true;
configureRedis = true;
@ -48,7 +52,7 @@ let
};
config = {
adminuser = adminUser;
adminpassFile = "/secrets/adminpass";
adminpassFile = "/run/secrets/adminpass";
dbtype = "pgsql";
dbuser = dbName;
dbname = dbName;
@ -61,13 +65,18 @@ let
};
};
systemd.tmpfiles.settings."50-nextcloud-secrets"."/run/secrets".d = {
user = "nextcloud";
group = "nextcloud";
mode = "0750";
};
systemd.services.nextcloud-setup = {
wantedBy = mkForce [ ];
serviceConfig.LoadCredential =
[ "adminpass:adminpass" "secretfile:secretfile" ];
preStart = ''
# wait for postgresql to be reachable
while ! ${pkgs.postgresql}/bin/psql -h ${hostAddress} -U ${dbName} -c 'select 1;'; do
sleep 1
done
cp -vf $CREDENTIALS_DIRECTORY/adminpass /run/secrets/
cp -vf $CREDENTIALS_DIRECTORY/secretfile /run/secrets/
'';
};
@ -161,6 +170,24 @@ in {
'';
};
adminpassFile = mkOption {
type = types.str;
description = ''
The full path to a file that contains the admin's password. Must be
readable by user `nextcloud`. The password is set only in the initial
setup of Nextcloud by the systemd service `nextcloud-setup.service`.
'';
};
secretFile = mkOption {
type = types.str;
description = ''
Secret options which will be appended to Nextcloud's config.php file (written as JSON, in the same
form as the [](#opt-services.nextcloud.extraOptions) option), for example
`{"redis":{"password":"secret"}}`.
'';
};
settings = mkOption {
type =
types.submodule { freeformType = (pkgs.formats.json { }).type; };
@ -178,7 +205,9 @@ in {
description = "Instances of Nextcloud to run as native NixOS containers";
};
config = lib.mkMerge [{
config = {
boot.kernelModules = [ "veth" ];
containers = lib.mapAttrs' (name: value:
let
srvName = "nc-${name}";
@ -203,5 +232,5 @@ in {
(builtins.attrNames cfg.instances);
enableIPv6 = true;
};
}];
};
}

1
pkgs/default.nix
View file

@ -7,4 +7,5 @@ _: super:
git-multi-shortlog = super.callPackage ./git-multi-shortlog.nix { };
homer = super.callPackage ./homer { };
neomutt-export-patches = super.callPackage ./neomutt-export-patches.nix { };
sway-background-image = super.callPackage ./sway-background-image { };
}

0
extra/sway/background.jpg → pkgs/sway-background-image/background.jpg
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.1 MiB

After

Width:  |  Height:  |  Size: 4.1 MiB

14
pkgs/sway-background-image/default.nix Normal file
View file

@ -0,0 +1,14 @@
{ stdenv }:
stdenv.mkDerivation rec {
pname = "sway-background-image";
version = "0.1";
dontUnpack = true;
installPhase = ''
runHook preInstall
mkdir -p $out/share
cp -v ${./background.jpg} $out/share/background.jpg
runHook postInstall
'';
}

1
secrets/.gitattributes vendored
View file

@ -1,2 +1,3 @@
* filter=git-crypt diff=git-crypt
.gitattributes !filter !diff
sops/** !filter !diff

BIN
secrets/machines/fort.nix
View file

Binary file not shown.

BIN
secrets/machines/tank.nix
View file

Binary file not shown.

BIN
secrets/machines/zero.nix Normal file
View file

Binary file not shown.

BIN
secrets/morph/082c30fc-8120-4e3d-9b2a-85026e73657f
View file

Binary file not shown.

BIN
secrets/morph/0de59e58-ee8d-4288-b55d-d4d0c3ca5dbd
View file

Binary file not shown.

BIN
secrets/morph/1036e80d-b11e-4020-95b7-f037c01dc826
View file

Binary file not shown.

BIN
secrets/morph/1e330e41-2d10-47cb-adb7-c94f487d9c4a
View file

Binary file not shown.

BIN
secrets/morph/25dd1d32-7843-454d-9bbd-26b2a07954b9
View file

Binary file not shown.

BIN
secrets/morph/3cfdc72a-4a82-4b61-a44e-47112456bc98
View file

Binary file not shown.

BIN
secrets/morph/6ed0075c-e3f8-443e-8ad1-335831ab677f
View file

Binary file not shown.

BIN
secrets/morph/75738a3b-bd54-44a4-8641-b327c58bd49e
View file

Binary file not shown.

BIN
secrets/morph/8b8ff290-8ea6-4828-b03d-79ef1f612e34
View file

Binary file not shown.

BIN
secrets/morph/95ac8ad7-ef00-493e-9b14-c26763047b31
View file

Binary file not shown.

BIN
secrets/morph/a589e4ea-b3c2-4a89-b91c-d3258dabb818
View file

Binary file not shown.

BIN
secrets/morph/acme.nix
View file

Binary file not shown.

BIN
secrets/morph/c9ebe668-dfe5-4e59-8e8c-cd56aa34ad5d
View file

Binary file not shown.

BIN
secrets/morph/cf88e3e5-dc4e-4a7a-a5de-6c3453c8192d
View file

Binary file not shown.

BIN
secrets/morph/d4951bb3-4986-4ade-b399-96412c986284
View file

Binary file not shown.

BIN
secrets/morph/e4ebe370-c85d-4687-a93f-40b7453377e1
View file

Binary file not shown.

BIN
secrets/morph/hetzner-acme
View file

Binary file not shown.

BIN
secrets/morph/home-assistant.nix
View file

Binary file not shown.

BIN
secrets/morph/matrix.nix
View file

Binary file not shown.

BIN
secrets/morph/restic.nix
View file

Binary file not shown.

BIN
secrets/morph/sourcehut/default.nix
View file

Binary file not shown.

BIN
secrets/morph/sourcehut/network-key
View file

Binary file not shown.

BIN
secrets/morph/sourcehut/oauth-client-secret
View file

Binary file not shown.

BIN
secrets/morph/sourcehut/pgp-privkey
View file

Binary file not shown.

BIN
secrets/morph/sourcehut/pgp-pubkey
View file

Binary file not shown.

BIN
secrets/morph/sourcehut/service-key
View file

Binary file not shown.

BIN
secrets/morph/sourcehut/webhooks-private-key
View file

Binary file not shown.

BIN
secrets/morph/wireguard/default.nix
View file

Binary file not shown.

BIN
secrets/morph/wireguard/fort-airlab.priv
View file

Binary file not shown.

BIN
secrets/morph/wireguard/fort-airlab.psk
View file

Binary file not shown.

BIN
secrets/morph/wireguard/fort-c8h4.priv
View file

Binary file not shown.

BIN
secrets/morph/wireguard/fort-maui.psk
View file

Binary file not shown.

BIN
secrets/morph/wireguard/fort-quix.psk
View file

Binary file not shown.

BIN
secrets/morph/wireguard/fort-trek.psk
View file

Binary file not shown.

BIN
secrets/morph/wireguard/fort-wort.psk
View file

Binary file not shown.

BIN
secrets/my.nix
View file

Binary file not shown.

49
secrets/sops/acme.yaml Normal file
View file

@ -0,0 +1,49 @@
acme:
token: ENC[AES256_GCM,data:AjN5ii6lsk8wWnpZn9EalVv7ixS3NuTKitXoKbaVo20GnnQkpm9xoj/VqZ+MOxEK,iv:qBNo6Dt7Amr4HG3xzzy7MW10OxywoNMJb9kg0TVsUv4=,tag:MhphDVk5vbZVjes+SiM2gQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcEJkTDZEV0o3NXV5cVFm
OHd6a1NXNkNGcnZsQXlUTTZwUTZwOWtpL1dBCm5hd0RvVURsc3Z2M2VQa0lUY3lK
S3lGU3NRMFp1QVE3OUJpR1J6TkQ2YUEKLS0tIGRlMm5FeGVuaXVIT2JCS1BqQkxO
S2tMaGF6cEFyZ0l0T0NBMmp3WTg2eEUKgCLtBCkzTdwvKLPDshIpdetTDuQQ8Zpl
kyA+/XaMns9ktzSMzkpRgGfjV1Ku9EhDFZCKppJZftiffNItyCOQew==
-----END AGE ENCRYPTED FILE-----
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdTQvSDcxRXZJMXFSTVUx
akRxRFREME0rTHhoSFcwYkl3SFdiMXZjSW5VCkVWWklRckwrNExWSjJYNXRPWm9G
RjFoQ0F2QTNDQXpOckN5bVRMWjFCcVEKLS0tIG1EelhsRlVvWDJqaTNFamNaOEQy
T0pPdVE1SEU2TVd6Wi9IbzRBUXA4WXMKe5jdQPe13zhceh2xO9h9ergfaXzpuuSo
iIw8luW2olJ9lxnYpws46zTQczVFx2TG3wcExS+vKsDrf4o7R/133w==
-----END AGE ENCRYPTED FILE-----
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQ1pVYTl3bkR6eGZDZGJm
ODJFQnAvS1Zyd2JWMEVHVGtBaDh0cTRnLzBrCmpJY2FhNFBSNElGZGxWZ1FFY0FX
SjJ3TmQ0dFNUMThWa3pOTmR3Z2FiVWcKLS0tIGZNckcxRUdObWNVRDF6cFFHSnhv
WWNLMjhjNjVPbXV3V2k4NUJBUFRiazAKXPjQFiFKXkiDSgFE0UiUW/ULZQSW4uyZ
X7qK4l7mWrvqStsK8Zv/wIUd9jkJpOh73X/jsBRDQUZF0V18lnDn3Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEcDNWa0tZenFDZ1pVMGxO
Qm9IV0ZnL1BGVFlDOTl4SzBtN0RaUHJ5S3lNCkN6OU1jSU9Wd2czNWRXOHUzYVNt
NXJ3S3pCbWZEN05zcWhXbjZpVnprWmsKLS0tIHdWdnE5ZlRoRjhNakZUdElSTkZp
dFVvTjJqV0JFbUNWQ3NOOTZhMTlJcjQKIi6lDhbpM/ndyB7RsAN3q5PkdHL7RnF0
u+bGTffWfiplvO+rASMaGoahez+VsEDb5MM00SoGzTMcYkrR2kruYw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-30T21:41:49Z"
mac: ENC[AES256_GCM,data:ffmmRSAXvvsCK8WhmhclUz7eIVFM1Aw8eidvmSDofe+6H8PJvqJB4CQUphqQTDgfFKK9LHQzvU1vRZWtg6CqXy/SqLLUUcN3PfxZ7l895YDDi/9p7HJPUloxw/G8ovIJAAeHgJh2nQHHAbKcVAAILmB6UssCmTLeU9MzWcMTJmY=,iv:+jtQIqL+Mf88Akjkj09xvpk9cZ4GFl6w/Vx8gR3Gk8Y=,tag:qBc0i/vrLSc7EbErTLCz7Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

40
secrets/sops/alertmanager.yaml Normal file
View file

@ -0,0 +1,40 @@
alertmanager:
env: ENC[AES256_GCM,data:Fr/L5I8t83pHPHdP3eXGnvFfl7C/N2Iw64Zpamr3Z3gLevsoD8pSSbWDqb1CuhATrYY5mR3M6vpyNh+UJPHqGbgMHiW6LZWClPvesJEU3xs4clo+YM+pYwG5oSpHiuN/raXQUpaQuOmeHK3OKLELJpSkY90FIiBvd9si43xCP4FYAdhCprxWJQtINSRGCrGmzvlNScCkXyhH/QOQsDOIWFAXn2+yGH85zOiBQEzmluclI2oWpZOUbHgk4MdMBu1tHRA7g/UF6AoXrTOyqgzo/w==,iv:yvHlQAOSCMtBBXHmqfEJu4//gTZp+9du9EWodheITqQ=,tag:T1vLhmTmCINGBvh1bBA5ig==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QTZNUW00U0xpM3dmR0RS
QXY2TGQ5MUFORHNwVWxsNjB0UjBZQmZkUlZZCnZIQzBFYXBESjNMYys0TXRMNUUz
VUVHZXFyNFhTdG1ZaWduRkp6ekVqbE0KLS0tIGVKTlBHYTVEWXFkWlR3MFdMajNj
bEs5V0F4Z2JpYTFTallaeGJGcGg5K2sKl7hxy3Tr6rkoe1MJm7VMBur9NeOwPHXo
hxGURTZdf9M7wjueXw5oYRm0fuvj1Iu40JfJ3XqhnqATohTnsHwbmA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlTzJHWmMxNVlLR0d5UnB1
ZUdjN1lWQk1kOTN5TjczMVdjZDgwNVlUZjFnCnlwNTQ5YjYrOU5HRXlmbWdWeVox
MGZJa2RNTDBVQkFJTmFsUXhnZDBhYmcKLS0tIE9Ld2VmMkxFK2dabVQycDAzOXVJ
S3lsczU5eWtMSEJDdVMrOHFOd3N6UFEKskBDsioCfKT4qjQ1jOHYniE9I5YxzTRF
Hb/KoReUEW6DHsiOZKRcJt9KdE0iTguWiFjjQqIlDWgTfeDsyf8ySg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWlpmOUVkWU5WL0drMXZm
NEEwVkxDOHl1L0wyQkljSUcvRnRac1NCbXlnCnp1bzR3RllEYnprMkU5WmFBRlpK
QnhHZThheXVnSjk0Nlg4VU9zREpxQU0KLS0tIEcxVTZ5NjFzVE14YUJRQThzeU5w
cjdQVWM0bDEwb09XR2ZiTzRiN21wQkkKxDEhpgyYLs2HOnmNdumNpFVTuLuXnHey
c32B0ENhJgL7XNV3V/lHa7leQqA42e/R5u6v68OEelvTPqtxNPFktQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-06T22:12:26Z"
mac: ENC[AES256_GCM,data:ntbiXYuquh5vQxiv3A9wspLdXY+Wp3yCSkDtdIj4SMKlh84uyQ+oAfWo2Y0TqW9GVemzzWJs3JeEs7oMZXXP8PGRGiHShfBQ+DbIF3lsKVG6rZbaKkEnSPnDqdm2PdbuzNvr3f3sOOYVutmFxO3HHFNgu4NdFw6EQqubmS7qZxs=,iv:a42Tm/pVZ8ffJHRC6iMMkZEmKn/6Vkr8sp8sQQgyx24=,tag:jVHHgsBb9OHBee9nhoLRtw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

40
secrets/sops/fort.yaml Normal file
View file

@ -0,0 +1,40 @@
restic:
repo-password: ENC[AES256_GCM,data:Gdz45xcUbtoKsDBi+2U4ogi32zFMvq2CNuvSotOYIFg6wYFOQjt9MDdY4w2Mo7L0Cbhem8YgBE3qpJS9yaWozjfFzWT8ya3SqMDksgju6KwSoiS5WvWdsAXsgSu/jIqvLhWTfbt7SXmDQ8Dd4d/qPNKmtphnA1Jc0ttp3+ieE8U=,iv:7MHy52gC0xXoUBAj7ZB/yoOUS8EmPW1SPjTTtkcnWvQ=,tag:LZH/IElQ0ovP/ettxhP5Gw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzc0orOGppOFpKZ3hJbnRS
UFJ2ZzBjNnNZVXp4SENGd0F5elJONkNrbmhJCnk3dDN5Ritjc2NiZis2SGNkbGVC
aHJPT3R2ZytDQ2JlOUtJcUlEVjkvN0kKLS0tIFNuanJYc2JLVlBmNU9rT3l1TWhN
RVRVYnRVS1lCeWRsdy9nYUtoUmk0RFEK+tSoWfpyeYW4exEz1/t2mgd/kcIrxZYH
kygnj220NqLJcEHwnrUMjCvvPSlmDkTGCKZv0uBTmwg4zJpnORTRfg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwM1JNSkY4YkdtZUkzNTFG
L2FUQXk0RGNiVlBocGN1Qzl1bHB1allVWmdVCnMvdUpsekFTa09yWkNVVWlRazZI
YU0vV0FUVWpReVhBVUdvOFJ6OWgrUGMKLS0tIGIzTFJHV3lwaE9EVXFqdzZaR2VL
U2s1emNXZC8vSmpjaTJoNU92MEtsYWsKWAfGDwHnT7ly5kr4N1ZzK4l1UvYExcbT
YgDn0GH0nMHARjYnIB0ZeqleZCC9Q1S00t4ly5SeLeCcrawgy/6OAg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZDJocG9PaDlCcjNHaVJT
MmF6RFNZUFVYeG5RRm8zQVdQZWsyRHVyZVQwCk9ydEJEdEtYSWhHNTI3MDhDWjJK
dTFEa0E1Mjd2QUYzK01WMDBnVWpnSFEKLS0tICtuTG9ZYmp3Mk91eXN1VEgvQVFZ
Z3pDUlZwcDNDdXN0MURnUEdLY3VZTkEKa/D6UQfoBJqEb/xQHT4f14kkahjAKBXP
O9CtZPQ0TzfIFKPA2doXTD+dhxYAzgipsYfe7zwDn/kYEoz1uJ9hIA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-03T12:52:36Z"
mac: ENC[AES256_GCM,data:woldat8qOV5j48rCLMp6cc1d9BIcQgsh+QCN5SkBSsI+gu5MSVhwix3zQhCDrqNURwyc0e6cEMQAJQcTjIOU/ZAYZhEp+CwuDN3X8cwP0Rs8i2cH1dfWMi/r1obpodihm2nLUExX+6saY2afJw6sQLlt4DkqdUwq0f/9h4pBzbQ=,iv:dbsHPc5ZNyxXDuqVf6sBiPvEqOn/k0DvyFHiZYzcHR0=,tag:s/7b3GU/nZnhhSQjSaJLGg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

40
secrets/sops/grafana.yaml Normal file
View file

@ -0,0 +1,40 @@
grafana:
secret-key: ENC[AES256_GCM,data:Hvc/Svt+22kjVQ5WeHj0ubFQBSivZBk75QWZa4jdYDK5vcH/CZsmZXLbaEIhY6aB+z8Mp0g3e9/WI1k9AIpIE5bZ89sPCpfxnfSdX8lF8uqRCOWRQ0Z6AUk/FXjzmZhWEotcHKqHE3dY3HZ0/VCLEsXNhNub9YCdm7FgLjEI+/I=,iv:E0yPJpPWSr6C7dVU2ZgY2gxna0Zt1BzX1CsHB86KULg=,tag:HZvimLJqijpk0cr6+zWNAg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YUxTanZxTTNYQ3FQZUZ3
bFB3S01xWGZrQVVlQncwelNNbjV6ZWtOWmdjClJiSWR2TXVTYkNzMzJPdDUxanpG
MlZYY25ZTE54M1JYUTU1eHBYSEZkNzgKLS0tIEpUbjhHblBYS1cwWEpoTVo5SFN2
UTRLamVqZmhOd3hVZFlnLzZpOTdVYVEKaOkEAvGyBdsskjYwROeFzZb9y9csJTYg
I0foVxkx6z9pgsBCXLpK1Ij5W1w9JSWo7KZhEQP+aX3980TryWdsnQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpYXpUaW5iSDRaNVdXV3hM
N1JaWmlvMmpQQ1diLzE2NXc2TTdiU0ZDalR3ClFMWnM1dVJHTmVReE1uc3dXeHVs
VndhN1FEcVZQKzExM1pqQjY0a1ZaanMKLS0tIDUrZUZmTktkU1NqUmVKOTA4bU9B
SDdBNlF0R1UrVlk2SElmU3RFbjBLanMKyzxYnV/MzZDV8b9pNwQ7p2F08pLkYB0Q
NXykeRTWpjTVnU/ZPI17aVaRT5S2FZqJ6BQhs/H7DPcsq/rncRmeuw==
-----END AGE ENCRYPTED FILE-----
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWNkRyMDNYdmZTM1JqT2FD
RkNFc0N5WnhreFRQSDA2VTQyMmpFMEZhSFQ4CmUvLzE4dlBoVTZRWE1NajFpcll4
YUZRaXNmMHp5RUdNMkJPbFIvV1N4TVkKLS0tIFZjVUt2V0RkVlNzRGIvRTU3VXVR
dU5pN3VINExuamttNVQ3OUhMN1dleFEKA4/43ktlCmreJqBqbiFc/uzUppZoaUSm
1Ywifo2FCsH+7kF1DxFlv36o3kNVkbkAse+Upiep+gqayJFZRgN32A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-03T13:18:57Z"
mac: ENC[AES256_GCM,data:4MR71js5gK84Ta/UQhElkBZOuIKl8dQkbUqgE8+Ygi+W74vYnHEcNt1yk9usQJmn5qKa+nptWjTV2nHt6yn0HPCdFPAKGuL4d80VZozFbY181oGVYbuK45ZmTLAiP3ZVfztWp4IYHnoTBBh6EjOxrbKnCXN6Shratt8/Gq7PxBc=,iv:OmmyA5x0zEeKJpfi3IxAorPpw2jatT1JECU/kSOcEUI=,tag:xYQG+5DLtnbq3MWNNgpkuw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

43
secrets/sops/home-assistant.yaml Normal file
View file

@ -0,0 +1,43 @@
home-assistant:
automation-sshkey: ENC[AES256_GCM,data:yvVdExvti+4oKF1Ptb5OoMsz0e1ifY7k9Fts/cp6ygE3z8NjYY6HKOvgZe2NkXQHaNbifcbZTQ3FbgBi2dG19qpkri8hWmpFvdWEf69GQVl+OwhOmRm5hXCiNRZDSbqoHVUQve2J74C4Xzzyh3O5jkX34myhC2H4ua3dvUXsngn2WOUYXzaCgqvqWZdUas+MU1amX7CW8ebgOZJH7we0Hc6/QDjHPeD02NDlDYf8HeycEOWemuMZj27kii58dQQsdGXkzlTPvaE0kMOYyDaG5DWEwVNnpE53voeY/Jp8J699Q5gS1XKihOU2j7NN1EwkPA6r/v3UL1R7rpzdok11IEJbFQB7gxZtzrwZz9+Vmpw3FzmAflaoeYMl3t31plF8o/A+ug5BSBW/VsSeOs4LtmaV4J+r7GsAcvDWkPd4VFuL7XvKDfGzpqb8tOK6dyzKdDXxhYiR8m72U3my3L6KHznosKLfyivkI5+SoGz6u36fa7Ya8euLRyghAbtAx+oW1CvTOf6AkNhgUiIl2OZpglmG2Mpa255WV0i03UYYlrmVLxA=,iv:h2MUNcqxZaV4t1q3TzMt8NHUgp85YllsRRtiQt9n3gA=,tag:T/aPmhG8kHvc4It4KkVF/w==,type:str]
mosquitto:
home-assistant-password: ENC[AES256_GCM,data:En92egO+/kPWb9V8M0cwsFvwcl2mKunNM+g7qsUx9MzXLbQyiAqHaZDGNv/3vZ96tBQfWXt/xPx3LECQ0OYuAUS5nf47wpmiQ3vtJRpJ6dqZ4E3FjLmGg6iPx7M8xlzNtoO6uOT+pkWVOm7qmWTxkg==,iv:38y0Y0Znt4zAF8AuYBn3aHvE74ezB0fZKLbN7zBk8mk=,tag:33L7DWP5Ec1U9nFAVehYbg==,type:str]
tasmota-password: ENC[AES256_GCM,data:oUUgz09Pn+ts+RsKO+axdNlvtZ6r5pDErsZq8GCtyXzuoeQQRFiOqgbv/mC4S1mKQfUOM3ZEjv+VdkqueUDAT/LpbmStiTsXtttU7JrLx+oU++ZbwLK4Nsl5GkvsUnz33c1rpqGtoB3AALXqg8qSqw==,iv:tHPM9u5ckDiFIk1HxeNxvfl/GqTJRYxoQaVc4svIGFk=,tag:Ez8dBL3RL1ygLPHb45VfUA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycEc3YnpvK3ZhanJmUk9y
SitEUklMT1ZKRHh4aE5JWFh3bTl5TE5tWGlvCi9EWS95ZjF4RzM4eWNHU1NiUUlx
dFRzVkFuNjh2Q3NpOFQvR3pQSzBXSU0KLS0tIEw0RDlxZ2JlWGZ1UzlGODBmS3NJ
bWh5SU1iM1JGeXVMT1QrTDhvcHpLeDgKzJbbv7e4b/Em/be7469UIPw0pmm0KskS
LTsXUitjzoaa6lQRZCjf2/mP4JOl3BGNxeqWiMfym/hjow2Oam42HA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bktyQ05OOUVLM25RVTlW
UnRJS29PaytTaTRHZUluMzNraHdleFlSMFhjClVId0VIcXVJZVYyWi9ONjIybC9k
eG1uMGw4SzQvZUhEQ0pQRnh3LytHWFUKLS0tIEtxYmw2TGpuM1UzMHB3QnYzV3da
Zlc3b1Rxa0ZaYnNMWTdRQlZ4WWZjUkkKp2D67jhQgVbCRYLEQzoz8jA8n69CspOr
8jjvPNJE1eXLJQG179E70ZDccF/yG5mHYSoOshLwtGM4xrURxf0jBw==
-----END AGE ENCRYPTED FILE-----
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwN3A5Uy9rYkxiRlhsdkFL
RXBta0Rja3NGSEkzVTBCcTlINmdlejlmN2pZCnBuS1RZb3dRQTlLOHVpc2RNOG1T
ZHpGd0Uvd1lZZU5lUEMvVHVFb0JvNTgKLS0tIDlhNjAvSHNyZ1dWc2U5VlpqTmNW
ZVBwcHZWK3BRY2VlSVB2YVVBaFZxNFkKkn2H/I6sKCpcgmoiqG+0qtrA2PTyEuRW
N4Oxr+fcVq4+leme6d38yB/Eryjbd+trrnMxLR8AEi3rIiDx+gJWcg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-08T15:50:28Z"
mac: ENC[AES256_GCM,data:8fpPTyxewb0awHMeUh/qjFxzWRyhDRwULWJK4RphVfqFKIzPSiCwKE6qhgYFi69J+BLXFnIteChP2KxBASzZGrtOD0jDGHsO/c4UTtl3BWAwWVRGZ8ZFBbhYCICGDULyHygtT4vcgS/Umft6wv0eOWTCS6W4HSJsC2TfhgnVkzU=,iv:PKVTbjvmkZ/nY0Duy7mW8BSgHNExml0sKcL2JPoRnEI=,tag:kkTSB12eGIVPwJrYgUDvVw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

41
secrets/sops/matrix-hookshot.yaml Normal file
View file

@ -0,0 +1,41 @@
matrix-hookshot:
env: ENC[AES256_GCM,data:vqm+Flo+y7XROiB51SordqeXh9wpWrTZ/80MBOCOGmdGbTVMvH0K06n0sr4AscXn9Gw+6L91B35kl1rIJiDUKriP9mA3lYUS2j4tKsWGESngeKeP0pngzPf3V27a+U4v93ReDfq/kUfdBNMLiNiWSXtKapVdz1IB4WNxTTsnYtfRi/dGndch28I0G2o2VLf2ghKungvW33U=,iv:9bBl7kyz7U3GtIeqUk22SDkxe9MhEc6XM5dCSUvUwjE=,tag:aHx5W79v/YzHmIBOQeHWNg==,type:str]
passfile: ENC[AES256_GCM,data:MZ9aVmDaEq8rbPGsPkrZJA0rOUL94+Wl7I4P58Ls1/qZljBRpwvTQg+kmyIBMBwshxvgLd0bVUuXuMEhulvvTEBugdJasNmnqsPYGJP9IXHkGCG5v4N8qpPQOV9Z+N9wqpjosEYiXfgNBqSe+uqIuf0yeRdLYvAlkeza/Bw28aUWDsdOXujsx1rzapX1dV7FFU45hZ1luOUIq/e7DteXlPDw/51Q443LvuYDC67GJaMfz/q+cfS2O26v5wekZLOQUk/8HRJch97c0UobGGZ5mrxE3y3fQCRG6mSnpqBQdw/u7+H2PZ7/AgF0YcWzh5putLzHM+zE7sFd9cwKWS5GrUUEmCZ6CLwEED3UuhAHlk05zzu4gMPK8D+/yNdKznBM+owmGpIEyj/uftaCj1Zv6jqCjtEIqQH8PpggBEv9Odavke4CpqT64L/XxAjBFb+lBnFOAs+guDmi7xhn3eW8ixSxjqDq4VZG0pwHj55rQIKADsRcIl6qpm2hbf6zM/IMSl2pbNphWErvs6XtcGu1eCgvm74DbSOauyzbQusKJyXATQQz2woqeFR6+nAOylSghjs5NZEmz0KDFN/VtBv7qtG8zVnqQAJ+kJTIuXhvV17HCfiQL1oaQX/ctSQHRrK7vBrgzDjHnuQtlxscfKghERDg1cMRA1AKQEnN1JXjCJI0npJqoXBTYdDlORkIy8SM7i1bZq4vDbvU3/cBrE39qAAcDOvZFk/FnP+SVtxL83EZyv2c5lS/ityX/7cjPkSRwD3LnAmwB4+BSQQo9iGE6JbVqZ8ehwaiaSDYl8wSDNl1LBJUsAvWi4zrRPMs+sxf9RGhHHBZdWc88bnSuwraxW2SzZ5JJE5U4upvBowngeQMYGBsPHNQA7Zcifvsm+0StMYHl4dqF36BVrz8NTgkwrQhg179MnZomULRsfgck1J1D+HqddDImTlzhSd7+VHp/460HR/vC54D6+vE86f2WWCVCE8zvXxB00n31jgFnKSEN1HGaYYhyeUFJQQHixGzKyntDWNaVOqniP9TAauFQxkO9YeaBF5foe0MUSJw+PGuxGo/9Y4GVoihYcXdwYZOS+qna2AbZ/hLQjDspJHPVJ5fFLiUGpWS/umPbPrZyJCSozQYYQGmBJ7MVvg2US5TQrHxNGpzgl8MMkWSF1miVSY4fQVJ7l4iT+OzmcMkqbDf+aV9S8hJHOTrcK++hJqS2gYPrCkdgQhPye8W08NE6nxb05UXI+p/8eN4gNBdGvZZztXpjLyZ8/53Sdd+b3V7LRDmSSkAjibhD98XjBxIlgRW6qa3G4UAHSrMu3EGXl65ZNe0pn0mI2f90LS6LrD7mmIX/kiXXUtgloieh1QAIDrOK6reJs3pT8kr2UCMQEOpAZ+gTuF/XK52muZYyGFu1g7mzVat1uSX7vDPWjJK5cTmNWtdzjxg3qqtZO9B9M1OT2fPnqY8xm5F24yqIa4FAJXBnJ5HkLTlW4wn0iQ87EJl47GzUU4QVXmo1pyocqHlYQAKkr6JGToqu7NkddJoBWcuFBdQJY0qnidL47K3lhraqhfVEf5F2m806IvAT/hab4ZRqmNFNYltBgzVAKhBxrloV+89OFJJp2aIMcLiYKZWn8nOAr1TZYpyodFbcsll4pSzZVvjkaKTnrrs6w/geRCTzMrJSLNAOpQYukWPZWGiKSVyeggy+PAcjHcOlQJWB85Xxm6Zdr/p+NtzSwXZhj6v3RatEtyir8SHELLhEze7WTAeXgaD4pnIDMmDXMQgN7jHHJ/J1wndqFotHPDXvWjF6XjLcEjDbqL/Te6PElq2JDmZM8S55f61sGNl3YIuXZoccQ4xxQpC/tewEbgfUVvt1mAdhPbsLx3h+QiS+9ERIQixPTZudh2N1kfoSmL/3+qKMteMSRLan1mSHGHgFTfGBqJu6hRYnFq060GCOg8HBFDNzOJjbpRRo7y/kywx1VuJ8GvuQaiFUORRVUyD7c9fhs0VywZlGk9Lu9YGbCUxH3Z0Pq0tf6GvW8yc83JLjJbCotfNCPAx67iGDbAHyX8RhepG0NnDQxV0xw+k7fqbN7edY08MRRZgZFjQoGGM9jshGuQZGXClGgDk0+uWSJ8uoR/tVALB2mkaskOUll92qDd7Oi0+KJOoFx7jQ1iriPIaZm/QQtHGlVMOdNecWYDycfadQbCWgKa9YEBe7o1qDAkqYP4HJGjsOMvQBJUqLjjqz/7p5JrW12pO+Nysx2AfKCE79OG8u2zEO+yFynWPhdgjepG6p/5S9UgV0ZEZyNYznazTsiIX0h5N2Wymc1VNGcmGrDjWvHqNqP1rrEkm+mbihd7unCqPyVPudaYONA3rN5biEOV8BUPMZMwQCQ6xLBU0yY4fpNCdI+xcAvyX2SjeZsbPgKGeuHCKGUJ63+gxKzDSVYyAPEUz8OSJ3LOHCi7T3m3lqaSt0zRHx6oRiRfRF+jpw/4uqT8TMax3LlaNmS72b70JK+zzjAsKUwrov3QVPa5TKb58fxZDow6NkIVaknf0cbYdNHmNgup+J9ByA8YRUq8RmMjqqHTi1SW0WE+/aI1/gl9bT+5vlRPMXkvwJwjHPSwYr8dPl8TajY4zh6x+EqUeoOyVid3Nxqkp7ttG18JKMCN5jUjjiabp5euYiDZTFU/F5FX/HKZpgBjSaPKsmnW7d2J85dkaf9G4y5EhOiz2Md8ksyNZBsPTNaeJihKRmB1Bz7PqFWziaYKEzao7qe98SNbtPUPBedOaAwB7HH86vOuIrAc7NtyVThhsNfcXybybApRNy4LqrEyTxkDw/oXjWfnvsnqivcqlwfRynjoQyAiiRVarNLFYPAhvvfenO/K0Pyt4p7LZWcCzxTyZvCSZkbaJiQj8fy1bzSK/jqsSNcW91xG0I4N/LdWTjC753SsYnUon8CazAn/+UQHwWHUdWsiZmxKdrJ2FbHmU2p/yQ8u8QWkpk/6SIpsdDJ92vxgYwXGOc06JwvKUgXsciyOtVDclovkqz8zjyIUQWLG8D2OVsS4Qvscf5tt1iU2+e6DX0idNeSKxY9ej/MohXz4laffrshNx5ZNurVNlbZH0O3KTgvOzntoFAPvsMaPtFfZTpQmK1asC9nihaIFXplSaPcpTIaDvmqjB1/yrb6ARjGAfWiF5XU2crXl8eiHlzytkbntquCymhgBOOQc7vAYfn1itMYSXnV5kOWByj3s33/hQv14VIqc8bJigIapSqfeShTd3gltTc8KwnmixjMU9N/pRRkXDkF8+zAoWsyvoNUmz53on2Dhnrw1FFD5Obh1rwjD8LVSwYRIy1NdkpGLXgUS4fX5rZMX9qUKiQx0D8+vaQAXgv7R/oHtzrhvx1FHXe6KhKjs5nPDGhL+qADac4inemUNMm1XRYV1HNmoWrDmaLCwWIeIe8KLBmvFr+NbvBY88CczxN7EhetR7Hq1fzRC2fa+yxVlnnYJSLjKK5MVu3GVrNct4uLXhh24+Pos9LQx16QG1HSIfeE4tCKPgNJRgQCB1p0tRK4EkSk5rwJH9ZGomEibUrEzKcj26xtqkwLCVOAHKaucDwVhDT35l1Vr1BbqlLctD1XSb5WzPM53K08e24yo96dgvWbgJP+hgX8guhOHKct0/xu6O1WzpTXTTVKd3ooi/KXqEGz6boGpcSrE6/uvKYqinXNozLvBa+8AoC7gI+kX37xBWsV9HkUZ9aYetdPdJQHArgbbW3zDOMMJls0XH0cYd1hEplB3mkXgWyH6z6OHG1tQ9z8pUpS9nx21r4NwmOMInlcuLFC9Ua8LzPFcinJ4FZCt7yKBOMKUeeE4CG4JzT0XwBOJz3bIvPGQFk8f0ur1DujLMSWXLdNZiyOxw2Lf0NvFn3oyoHPplxYjhQ5m/KZ4eE7K0KcSiY8TlxiV+a+D9Lo077mjIppd8dfEhY1ANXYet72fnNIfb5La4lfa6hUHNFQzlCisPbD3B5aBDy/o4UyvudDgagntoqyM5BoNEZgW48KHrj3PE+UmpKbh81CdomUkHl9jTaOQcfXIXCVhoe/qaFPGPz5+7M2o50ejF36c97NM7IVuLwsTT6kOv4VOXI0STC4bnH/NUyreLrMdIbXHWYlYV/YcOlycvs3J+Sa2lxR65GIhK402bsALCuU1wZwVvmlRVeYI7ykm0nq4/5cNw6LkFja26G/gy7GFr56WhqL+udKc8lnLA/mjdH4TcgJvgea8xsamQrxJlzAkQDjvnpdwHfj1hjeY7JRyRf7sFedfT/U1NBeWbYUoSppz9+veON/MsK73jHe/5oX+kBHblnfxWTg5Qdy7gJBONslv1sKl9os5RfchoUDAldmlQADgpigOUCiKJellLhA==,iv:hWTkuVCPiSO6aclZM1cU2PotQBjaO8Uq3O0XNnGDm6o=,tag:k0oCxolcwNA+GtJfaBZVBw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0US9hL0RMK0hSZmxHMCtn
V01TcnJTOTZJODYycm84ODZIM1ZIQU9EWVZJCkh1aFFNN0ZKclJid1AyK1QxR21a
ZmZRRGxzZk9UVitCeU1wN29yeTZHSUEKLS0tIGNkL1dFN2oyaHBKcmJvWjBkbGZ6
Z0FyUjBPZGNjdWx6STBQa2lnUGtzNlUKYRiugiqHyqS4/5Leji9044a6FXy0R7ZM
n+uscxe/OnFcoasx4TFAOUCwa1s6fvtq/SOJTxL2New+8BgLV9nxCA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5RUttWTlJN0pwMWFSNWVX
TnZiSHFmUnh3WXZNUGRlOHhzelFneTQrY1MwClJyalhaci9hU0J4V05YMnB3VGY2
WFdqK3VIQzh1aVZWQ1djRVJGMC9mRWsKLS0tIEpYVFREMVEwTzFFOFBPNit6ck0w
cGh6eGtPZGpCN1ZMZ3F4KzZmNFluQm8KYfyCDrTJy5T8fNpLg4cyPJlE0AOV0OUu
l0ACXuq7WzQnM9svHjijYkKWeYvdAPF8CBRA57s00aCd2r9kOi1Szg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZ1l2MnVETUN0WGwyMkN1
SWhreFhMSnIyUnJReWhxQkYvSlNqVFdSd0NrCmp5U1Q3ckZVM05pbm8wcHBqY0xZ
Y3ZxaE5uZXhHWHRmNWlKdG5tcmM0S00KLS0tIEVCN0x0SkV5VS9ZWWt1VE5iNXBN
VHh4K1JhOGROOG1oM3ZnR3VoTkoxNmMKHAJQuIImN5NLRpzgL82ZH+wF02XJQmXH
dPUp0aYr0vSd/PGxAyDpsMPt64NXPDqKQ9n1zrPV8Jd3+FsIDhwnXQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-30T21:40:56Z"
mac: ENC[AES256_GCM,data:6weRfuKB5HJo06VSfFEDh8/YPwZejJlcK5BnGCYFOr2V7JmnpcjnWiEps1axkzzdiUq3gkdwu51PO1/jiJs/mCLFNrUq/KjqpYupoCYosF3p9ZDZc8LPteO1vj77tqMO6dcrNd51wYK896v2E2xT8ePRUDtQ7bO13fAdaN8f9pg=,iv:vlNvvlckY+i9+VlyTv2ZqO4tAujr9qsC7paWA7BGT4A=,tag:VIuvWvnnPmi4df/QliTn+Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

40
secrets/sops/navidrome.yaml Normal file
View file

@ -0,0 +1,40 @@
navidrome:
env: ENC[AES256_GCM,data:+4uLJIdX/JPTjset854P1+lrbgLi0WydExsFwLs3B13DICDcgRie/PF8z0BxXXLh0aSWfq9pAMpvXEpJBTmRu6iK8eqsUbZO21bOy0x9zSYBQweN2FMsBvV4GmJwS8ko/fhKGJ+EevGZDJE6muSX0094vGR/l0X51cUYa5fusxcbk+HIepOXOkF1ucUFNGDEgO3ruwOZiCmU9Kr4ihAlUe6/qQmfJLiAVjFtpZNLslkq6epe8A+qOtqHji2qZwL71plaV3lvdp1TEGLgvoHjkr/yP1tVpEp+lIE=,iv:z69DLHfWAinJEJ8sUusmqGxEaUeZx3iSngYcA0j+Snk=,tag:bDR5tT1Q0iwfYRKO8+DI6A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYU5XR2U1THZWMWZ1Lys2
N25mUkxDSnlQd1Q3clFhdGtPaW9iTW9yWGdBCmN4S1VVS3llL1ZlSDFqUGNXWlBo
bkxCaGxCZGQ3VWV2eU1LcTFNSTA1S28KLS0tIDdZSEhFbTZ5cnpwaGdJRFd4Y2c3
eUlmaHRlMGJCZk8wR0lyenl0NENBU2sKah3v9tYW5ZK0AaM5qP0tH50MjsgaEV4G
D9b0Kn7mTT3QiO8RxlS/S0KgGQDZsraK+pY5x+568NLBIAF2aUZ6GA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3d1FOK3FSckFITVZwaUpj
ZWVjdkF1TUhsQ0U1MjNiTEFqdFVLUzQxU2xjCnZHZzUzU3dEalJxUlVFelNuK0tM
UWZhMHEwZ21oc3Z6T1BZcVlpNTRTZEUKLS0tIGdDajRlVGptcFcyY0lWVXpKMXJk
SUNOWHNlNDNqZ3RwYTJaWWYzTnBRY0UKVpvec0GUgSXRfPzZBRySsRxoVe3DEHEN
99bUlaTtHYWzWpU0hXkvjCe5Z7eQwqwor9/CJaeZIdt8PJ9nAAeRmQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBub2dTc1RReUFTYU9NMFJn
bVgvUVBta21BMVNQRnN1SU8xbXMwZEcvV2kwCnYzL2xWcUc5TmZGN3k4NTVramZV
bU1hU0pjNm1ndFBQbm5LcTE1N2NDR1EKLS0tIGdRb3o5dVEvNXB4dXdiVllIRU5G
cWlRUkVkSFpRY2NyOTI3YlpnTEVSc3MKkUZKvhBErMZOhukmNarYCTqIoBgYP8i+
bGaVfqOR6zCiWncN5j327BvM3Z+0wPWDbT6PUOwsRddzigRwB6E0Tg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-03T13:22:57Z"
mac: ENC[AES256_GCM,data:L2lWeSVK7wsvrLirgEvEl7A3a2+N95N4GzjTl0joE0AWQ/4V/QgPLmo+teg/oucgpitWTIhCPkfa6P2+2vVMwIdk1mhKTorhT1D2n8TjkBN4rpJ8SaxgUG4/awS89YGoQcy2HCWssV+16GOoo7veJg8TLfMGIRGKuRYjG+Y/d/o=,iv:icoLwQgjLSGtZ0M7eyXMqwQl1YBpFuW+KUwEImI8qYI=,tag:ecfpXcAqA9/JH0ECNsIJLQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

50
secrets/sops/restic.yaml Normal file
View file

@ -0,0 +1,50 @@
restic:
rest-env: ENC[AES256_GCM,data:HPVJE/y4Jxh4ibfJwdqXqWXpyDIu0FJTf+PzFcANmu9q8m/KFhThu8IWkBYysZb67a+utYT0F/m22q0sm/xJ/4RKE1qHrDcepHf9Cv8d1WYwmh84mzgwaWmyj7iRZuUHdS3anQbIxXaWnLhugs1FrPypw31/LDbety6O2TdTfxN8gdpSTIfa7TWCXu+AQtHiViyZVLeRIpKsYYvdGfUmbL1KnpEzIN0CgyFqies9DJ0lzdE=,iv:HdzmjH1B5zVS2l1EHJBnVTBotjWZldzV7ErVuDuyQKo=,tag:++0dfGGVTugAPm4NpoykeQ==,type:str]
backup-bot-env: ENC[AES256_GCM,data:OG1VqtFVISGeZgZ9mKSBMLJgQpILriXDlWCuMVoiiX3/YObidOD781VZF5haWbAuVP68dIr0Fux8UExcJWyZsrw=,iv:74+UBOYeUHqw5WHBSLel9op+Jj3PzXiU5v5v15aNpMU=,tag:Ui30VnSTiLOi8siB9csCsw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6UXlPSEk0RmNMNmlpVUxo
YXNZSVlDRDFpY1MxNi9MRThSVm9YbXEzK0JJCjdINXhhV00vS3ZBaWQxQ3NMdE4w
N1JtbVpHRW1SbGE4UkhtUWVsanZ3TUEKLS0tIHJySXVCbXYxME41NFVET0pxMENs
STNWcitXM0NQL3ZFdENDVGxzMEY2NFkKQp/XDzlkZP+pCEpcBfO9rMKZV/1qIv8T
mpSV3924dwZ8XmyGhRUM7egMMJ8/2ifBhxNVoeccG1O7x3K/1R5bJg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WmVINVpudk5ON2UyUkFD
bG1ianZoYVAydWJ5ZWdwUHNMZENneUpldmxNCk1qNVcvK2doeklkQzdFaTFDNDQy
WU9TRERGT0g2RG55MnlLM04vaU81K0EKLS0tIERGQ205bHVzVCtoVVJUcnAwNU4z
OGtvV3ZyVG1ManU5a2MyVXp2cTR4M0EKvyQ2AIju+tF+R4PRWyB6fnX0CJhQ+6Ug
hP5d42y2XMhUaSGs1/K7Ad9XnMKt1com3fY5mCfpLYQyoklS+bGeKA==
-----END AGE ENCRYPTED FILE-----
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTVVSTHN2OWViVlRlQlNy
cXZQVmZmbzI3anJWYXIrcGUrVFdkRURHRlZ3CmtJOHZNQWMxVEw0ZzhFb3BiTXVF
bXUyZ3BhV0x0MWNzcVZ0Z3M5MFA5d28KLS0tIDdCQmxSbjIyQ0JUU1JFNnQ4b0Rj
S25zUDAvbFhoa1F3UEFUOWRSQzJ3VEUKn9Fy2TxYKGliELukaUURj8HsEY6ty49f
N1H4wqCKJSLJ5hM6YhtMosYrhaCjAoIHnp24iRihRL9ZoVwd0Azh3A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5bU1MSWRKMDFsU2tPNHdh
ZFdOUndTYUN3bkMwVHBXSlo2anp4ZHJEWDJnClhVbTBjdWR1b3RZTnRaTEZITzZL
V1BCMWIyS3lkL1N2dm1RUlVwN2ZOd0EKLS0tIHRuUzZidlBXb3R6RXlOV1pDUG9n
eVJpeDEvenVMYW5FUzdyNmg0NUVmT2sKTVGZsXZw6ZsWkfS9b22JerQD3QyPX872
tn+RuOH3/OjuXtEgAf6l0blEbAVZtWoaJeHIx2D9w5zB6EYWSkuUoQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-30T22:18:59Z"
mac: ENC[AES256_GCM,data:0HBs76F4J4RALM1LHraqQFk11T/O+QcV3eJoDt4M/k1LnQSMmuQMwwGXqk9YW3uRwQ4fFR/3jCIFNge9qWmQPRId6dv1sFUHbUFFQXJpaOAa8BPDkTFHl3jZlqEnQTMNT73oP/SKOYTKB0h076zqY+bU7c/ymuLIYpfyGFV37xY=,iv:zk+67VYRFRauSK3AT8WQmc5F6Sf316Ba7Ev3iNm2ma0=,tag:9EESzZJBWW8yuZ2svcMuSQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

45
secrets/sops/sourcehut.yaml Normal file
View file

File diff suppressed because one or more lines are too long

47
secrets/sops/tank.yaml Normal file
View file

@ -0,0 +1,47 @@
home-assistant:
prometheus-token: ENC[AES256_GCM,data:RcAjtXbaFwf3uJFO1/M15UXxK+Dae3kjwznYL9MBRDXbi9QLGPfmFKrV0su8G0GDpoAMZ8Eg/jdU5KuiGD7DL8bNzicpE4+CI/GWdDShLmw+Yj3H3bfUY+2E9ZOG0ZUUoeo5I+i1SH2LbKpAxVwt0z6LawArUVtK8LFSgYpHE3ACHCNcDOToJYbYHBcJjBIl+TWbFvRTzUPaKhreOn37bvmKhIRKI8GqC7jCa8qRhyMZYI/cv8W0,iv:rXpIaPkQVj7I69bdZ9d75VMhriGIm42Fwmmn1uUAgs8=,tag:ACoFQ4O7fUYffisvz9FvQQ==,type:str]
restic:
repo-password: ENC[AES256_GCM,data:Lpm3ewlYz5ZNHEqkT1Z8IuKo8t/AVgGeFpTwPahdCIY437lAhKuuXso6F9Yi9M9g4xv6zirX2UJ2hdqtnUH3oaSZZJGJo4xpTqx3EYQumQM3aF7zcCH31eQbynwWV3BuYlsRqRDI7NzP/EkuHqfTTm0xU8znBSLIkcMF6rTdavQ=,iv:zcGD0yroyyet80Z/9YQmB4i+72/OsY0AnN6qgP4ZihU=,tag:h2DduuJc+QQXXYwse7/Ryw==,type:str]
nextcloud:
#ENC[AES256_GCM,data:0vQ6wCqKtkDt8AiFObVEe0MQLxoWOYcrYn8sp2rDn50DyehAXQ==,iv://ePZvGMpgVTByRjTKXpc5SNPSQGAbFnmECPqZ7hxps=,tag:DASalULgBJtcFy8Zn99Pjw==,type:comment]
842fd10d-4277-4f73-b37a-f2082987d0b3:
secretfile: ENC[AES256_GCM,data:8iYXj6xZBJS2tAvJ9l7pQWdVsvwDtkHG8PopbeMlbfborJQEEXRTxgwMRaDSa9KvUzF+/IgnEnTLTxFjS+SuPm9E8boH4igIDK8eEJxbV178IleI4RqYFyulbtMquCFPQzIsNuR5219JSFwfFThcdL4H6WJbgG8YWECu6BqkNZMohEQfFXAV9zR+fb3K2ZdeVP09wYKu0a0VBcO8Xyvu/wmto71eFZ//x0L/c3sOnUEzmPnlVE9FRY4E7zFhVt+w6MoOOTRF1jwypavgs7pd/odW6GSF/9b+xRvmkt2OCHxTomXUa2i9d6Svchg/O7hLOAB3LgIarg==,iv:Hb27e9oBjJLZmlZ5xKiiZ9VwB6B2S3mXVx4egcvgCGM=,tag:uoa/nj5sAEcEZ5oXCuZIaA==,type:str]
adminpass: ENC[AES256_GCM,data:SntQz/z73eiQxt5yskKZNJNkYifj4yqJ8+IDG+uOc9JseFhFdb++r55GTOWIKwXS8T/jYMM+l6KyZtOUM+hZjzHGKujvkuZ8CNOVLLedJUwhI6ysVSH2l3wZSVxNdVtx3b3iyVMwcOpvWZSz6tRJaUSrapFzASBvF7euiODZP8A=,iv:prW1yBa6mBTjIiZCSfVAu6/8Ea7542f30ibDnsX37nE=,tag:fLKjfeUoKwAmR+nK1u54Qg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldU9tSlk4Rm9qYk5xMkU5
aFllMVlXMFVOZlA4WnV2eU1xWVBIalJTczBNCnNMMjl6d3B2WnhtMGdBV0J0WWk3
eVdvNXhTT1pFWUFKWDAzd0xHVzNwbnMKLS0tIHNEQ29DN25nODRmYmhBVWJ2aXRW
Sk43ajhwZll3L3NCWmZUbktxUFNUZXcKXNdUkkuor/0pCWzsWDpb7329D03qJOca
W3nLFEApBkKFd/UE2duprkZMIfrTFiUowS0L3XUuaMoLXVZU2ftOqg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyS1d4Vk5oZWN4WGdxSmM1
ZWFuSnFKZzBXWWxpdXZRSG44dmdLMnhpMUFrCmFzcFJqTEU3QUJ4Q20vTTRkR1ha
cFRlamhQYzFML21mU1ZDYkFvVVlJMlkKLS0tIEl0TGp6YndCbjRWakNDTlA5R3F6
aDRHM2hDelNHUjFCMk9xZlA1RGE4RXcKRMxp94CWD85NTFZZe6d/rlummb1SHHWu
QaTuGfYv+sB/lzUmChujUc8UBjN9Rg9XHVgXhpIJE1dR/NSzK42Gbw==
-----END AGE ENCRYPTED FILE-----
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzS2VqOVdKNkcyRndML2Qv
QVgyMWp0V281TUVJRU5BM05XRGFYMkJpeWpVCkVWZEptSUk3dVZHOVhZcWFXQ3B3
M0ZCQXNuNFdpY2lLaFZET3ZnSHhsZEUKLS0tICtiM0krNEg1MjhqcXkvYUtxTnJo
UklDUGdkWWxxVHhQTGdNL2hNRm94Sk0KdtYGJQdTzDO/CBB/4B1vEjgnCDuiTrJ3
tshBxNWTCRUarMKYiCkxMAIXr/ws42rV5zSZeZLpuUZ1ny6fUG1z2A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-07T10:10:00Z"
mac: ENC[AES256_GCM,data:+KTX7YUOpOzaQiON5m+eeS24MrPV+USvIyUbbXUlj1HT8ryfqP4pSof58po4S7rKD8xGVduYVGT5yFKZBXMe/pQXey0Y2vuxnG9zNX4Lc0wisvh2lxsQxLYzdcnnjR/YjGCRJDxX8+eQuGonR4EEe0aaf7x4zHL1xOY5aXLyE34=,iv:bp1W9AUeLHC0yro0ayCht9PV/rH6XhyXz/kZGRmOGxE=,tag:xHMw+g2L//PDjEW1cfPwZg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

40
secrets/sops/vaultwarden.yaml Normal file
View file

@ -0,0 +1,40 @@
vaultwarden:
env: ENC[AES256_GCM,data:0Ayxqf30Gto5ek5l4ECbTrgwg7XVfA9L+viFX2FfHJsEfmAg4PY7aO/43JvQEfYOMz0Hnpus1bEDgUUSiuiRFB830GkQ9f/70GcMP8V4GjZyM0JDpOt7Mr585cWow0Z7zC4oGCXamFeFL0tsMZbtpWp0rftP/RBiK8zlLYT/ggJkC+6R6wtN7nqXpvwO+0ttyhsiB9oDLWnLawnxa2R6+zcd+r/Agk8eVG+yDrY=,iv:mH9MC80np5TVzN+u3IddBei05lye2oqH4CKFeBI2/hY=,tag:p5kBU3AQWsz7tlsznp6ZMg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETVJvWEtjUnNzMlZUMkYr
QTk5bVhPYjBFWU5mRzJLR2RQUlFIK0ZaQnlNCnI3NnVIS2xRQUFkUVR0K0xWVExP
WjB5S0Z6WlliOW9ORjk1ZnMxT1pvNzQKLS0tIHVxVFZSTDJlc2dSUUx2Z1V3QXI1
N2FLTU1udTU5RU9ZNzhaNXAzcHcvMUUKyqiyDv/k7rQ+MLDlWdYAsHValDTK3jS8
1V870Xhu3HYc1yMYrPw1PvNdQ5BHT+a18h4MRwhG/f2SyJUsvdo7bQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aE9qK2R3bVozTDRGNUtw
KzBETkplaVB2aTJ6a052YUpGVWxTV2xaTm5BClhySjUrd1pqME5jS0ZMYW1FcVdw
U1NwSHZHZ2VpQUlxT1VMU3lJdXFCM1UKLS0tIHVhcTBsbjVzVElSam16Y3RsWDdX
S0FrN3dTdjFETzEweVdJTEJvNzlHYTQKUmggWKUhl1dXR2+gRyCpKG0sNf++zmnf
2GGdj2UTNs2reAUaz/Q/Ytb37mZ1gNYNUCLiuGVAwmiAOYVKsoxD+w==
-----END AGE ENCRYPTED FILE-----
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSlFHdmY3VVlTWXA4VmpT
aDlvYm1LajdrWjZvZGFXMDAxTGRnRXRCRkFjCkd2TDNpQVBhTWdCWXdmaEtHbExX
TWJLL0R6R0l4ODVMRUVIemJmKzc5eUkKLS0tIHlaZE0wTExuaDdoQktDNzlhS25z
b0VQbTV4QXJwbGxuSUY3UTltOE54cmsKPvF1SVinNyg55qWPJdKHrBjymVnG5Ovj
/UaIg2/ZZTuycf2Vbpl22ICLWNjEQUJ/0p9Yqe/orXLUFd/27vsB6g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-03T13:14:32Z"
mac: ENC[AES256_GCM,data:xRCSk5E/sl0A2//xh1Qi91whUrAeN/ZMHuxAVdSeT0YxKQWQ9RKMaQQzZAm/fiiQzeEhm45LLg24X5iPNeu3nQbEwO0CZlAuWLgDCYsIaw2mNtZKQSNl7W5hEwXamqlDqQVSjyctuQ70AZEacIixrnn+o2XABW8EZeExhvzDTGg=,iv:1p97jbZB0zHn6invGdjuy0q34P1ToMx+ZHyITfMGKJk=,tag:BD5ZjIRFJ0zYKg8YewLRWQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

53
secrets/sops/wireguard.yaml Normal file
View file

@ -0,0 +1,53 @@
wireguard:
#ENC[AES256_GCM,data:OLWr/KieDmV+/dSiUBp2xs6gLSIo8g==,iv:Qzzsu4iYSd0AhNO+VWpiV4FZekQb/aaGK5QQbLguh5E=,tag:HqhA5VW1jiIizKrpQcNr8Q==,type:comment]
5b2b3c29-2dcc-48cd-957c-c7e9d3d02d1d: ENC[AES256_GCM,data:OoexGaislazlqlabTSXKrj9eZOqd2V+IQw6jGOsbI7A99zWmZYLFmHH0Bng=,iv:1Uqcd16bnrt7tcAPZSntGXAUyQfZlWzNIDtBOeckVL0=,tag:ZOP8EqC1Vz6pV3OiybkypQ==,type:str]
#ENC[AES256_GCM,data:o6ONW1W1c7gPnUZIb/+GcUYd8sH0VVS6,iv:JGFmr71CzrusnGF6qBI2ZPq9MjuhpM+KFU7e62A291o=,tag:kf4GKCI2fPmMd2ULsNCGYg==,type:comment]
7f249c50-7b40-4657-972c-e0a5adc1e1fc: ENC[AES256_GCM,data:kTIXnvmHkzhm2vgiEH8Bcac1VqZzLDp8FJArd9vrIaSLg+BZkaz7U21buYs=,iv:5r7Aba02tBjWe6pevo9TRi5zYc6BNQ4DQdAp2IpcvZc=,tag:uxhlSFeQ7jG1Bnc8j2ZTTg==,type:str]
#ENC[AES256_GCM,data:0EIWbVmp3xI3VMN8mnKzQbc6VUNCIgy4,iv:dungCF6Ovt3rxt8xf5T1e8j+FZGi7VISc70938dcLSI=,tag:7P/SFaLIbWNKMpYHhZiCGQ==,type:comment]
da994091-27db-4547-a05c-c2bf4e6e87e9: ENC[AES256_GCM,data:k1Cqp9KE3PHOXe9H2Uy4AkcxzLQCkrQNSc+aLj45LI1ftJg/+4sdLKXk+/Y=,iv:hZO16KCfc/YmyOoLzE+n5qEeX/Qtgsg7ZHvbfd8JnhI=,tag:BLKJfQmHy8U6jzOIpNClxA==,type:str]
#ENC[AES256_GCM,data:UuYULtcN+UHUIEVdLKYVis2B0O4ZaZ3c,iv:9sLo6QKMwDX3UWyBGEeRrhIN9Jm/aSvlPptxAO2hoyc=,tag:ZqwO3FG3zta/WSYwkIwqUA==,type:comment]
b2b7693d-35ac-4c49-bc35-4b99b075d891: ENC[AES256_GCM,data:mo9axAdQ7hVepzT2bDDfc+L0Ju0R5hOUFJeoEi03ARTyNJux69tCgLUf6bI=,iv:KxMnQ1IttECX85HUvIQHmF4cEANnpzHVuCRpVC7dDkE=,tag:ZzjAKJAXR9porTVtVoTgLQ==,type:str]
#ENC[AES256_GCM,data:/n/QFVcAVIonCSPWjFyBD6YZn+Rbr6dL,iv:i+dLc6SBshnght0ULDsRNYy2VP5CiKiMVN91q7TpcPM=,tag:EOwRpwUq56oj3LGX9QnD9w==,type:comment]
fe1f7024-198e-43f0-8bd8-461a5565f424: ENC[AES256_GCM,data:2F2qo9NxfLtgnhimmF4niOcykgM3ZDYiy3kyjIzCXlD4+moHrLd7ae01wDg=,iv:Q6z779xQtcleJqWR5B831w1lFKIYuuGNK65HBaHFm9Q=,tag:wnL47S2S7o1xB1OWTjstyQ==,type:str]
#ENC[AES256_GCM,data:6OUepIquZtsTJWl8L7+JXDIqNb/RimG3,iv:2sdUGTPG3ERfvzxldZI5J6vSSPmLk9eI7CwsrTTOyrU=,tag:r389p8njBW70LhkZSAr7Fw==,type:comment]
7a57b7be-18d0-45e1-8432-a711d803358f: ENC[AES256_GCM,data:hR1VBdrHxVEWjfvtoZlFQTOSSW3E3oH1+hN40S1OhAOSScQOsn0pbQD4A60=,iv:26Woek+VoATD3ak9MP22fZr6kcfS8eWDlczulizGrkc=,tag:7Jkwwim/mXV7B9BX3DZp4A==,type:str]
#ENC[AES256_GCM,data:ziJN0QffpjSBfGeAwvLM9hNrIwEB3v3sJf8=,iv:s2B14RLbiM8GxALb4GWiZvJFmnfRoJI6jAwv0BBRQ6s=,tag:qIBgaSDebDY0jp4Lje/xgA==,type:comment]
a2ffe63a-d381-49ef-8cf2-deb469245582: ENC[AES256_GCM,data:3zospTsIAvR6+k6pTyPNabtaEvEISai9ZvaJk5l9S2owX4QmooQzQlm8CVk=,iv:iq96xIVybMD09dhE2n9ppI7wAwEqdOkSFOIu1gNdcfI=,tag:HHGbFSCCUKo2AINmY+CNOw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMlV2TFpxZVFkRjJ0R01S
NGJMbWt0Y1lGUFoyRFUwS3UyMnY3Z3B5S0NJCkh1cHU3WU9Qc1VEblNqUFJqNEtS
RVdBZ0YxM3Vnbi9IUDhyVHRCd3JWZXMKLS0tIE53aVBMNXRMcC9kMDQ4RHdKWEYv
MnNEOXNjYVk2Z2JueXZ5Z1pDY0M5WE0KflcFLEX+7N4ptKNshQvrk5ogvM3hA0gc
AadoiuqKaWbWnEv5jIa1UAYep4lwzguNXqBhMuGI5ywVRBrMSridHQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhV1N0enZJUUUyQzFVRnpy
ZEtsKzRralgzR2JnRmxIV0ZhSFRpRGZtclFRCjJ6Y3JVZ0p5Rm95MVFXR1pUMjd3
eUxPWFVWcFFFd3RlRVdRcm9lVGRCS3cKLS0tIFBPa1lmR0xnZlNWYWc4eTIwR1gy
SnNScEdQR1FJTk4wSVhYMjVFeThXTUEKAeUIAIQFNVvDGRpG5DbuXOOIyowAdBuB
gT78lwqP5nIhVyqIrO6qsz6WTYqbpueu85cDXwocMn1bP16/NsB9XA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvcUVPc3lzYkRSZ2duZHJs
VmxDSHNURTlKMUtnWGRUcFgyVDUzaENKVW1JCjlJSjRMcjJMbnh2VlBEOVl0MzNh
S3VwOGhSKzI0K3pER0hTTVE5MGdjclEKLS0tIEVDenArRGZHdnc3R3NnTmlrZjlu
Y2F4OTROcjdzdlJTdnRZYXFxYlV2aVUK8sRR07aL3Ig3t39zqXxm+5igWG9xLXlo
DXf8yCXNhpI22NWmGMmG79b9mw7rmkfc9rRsgZnj/BZsCHmRkvFUlQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-30T22:14:44Z"
mac: ENC[AES256_GCM,data:eI1XcAhJVOvsaNFZN1SfsL/kTLDPHUbTR7Vdi6ipLT7vXfCmmbdj6LWy6lxEtsNlW4lGEX7i1vI7uh5/C0u2ijiWJjIkw/Ds5nbKGJXw7Bqll3fURrlG+2l1hOAXKghbXFh5BeZhVsGx7IGLVhUm64mZ1Z9AvWShW6wGpIWj6+c=,iv:MwuBIVpU+Zs4iRrP6/3haoEMX6FiFiPDK+NtiCJOoto=,tag:69iks/MDaKT93xfb7cBB9A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

40
secrets/sops/zero.yaml Normal file
View file

File diff suppressed because one or more lines are too long

7
services/alertmanager.nix
View file

@ -4,6 +4,11 @@ let
toConfigFile = name: cfg: pkgs.writeText name (lib.generators.toYAML { } cfg);
blackboxExporterCfg = config.services.prometheus.exporters.blackbox;
in {
sops.secrets."alertmanager/env" = {
sopsFile = ../secrets/sops/alertmanager.yaml;
restartUnits = [ "alertmanager.service" ];
};
services.prometheus = {
enable = true;
checkConfig = "syntax-only";
@ -123,7 +128,7 @@ in {
listenAddress = "[::1]";
logLevel = "info";
webExternalUrl = "https://alertmanager.${my.domain}";
environmentFile = secrets.alertmanager-env.destination;
environmentFile = secrets."alertmanager/env".path;
checkConfig = false;
configuration = {
route = {

52
services/conduit.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, my, ... }:
{ config, pkgs, my, secrets, ... }:
let
conduitSettings = config.services.matrix-conduit.settings;
@ -109,32 +109,30 @@ in {
};
};
services.restic.backups.matrix-conduit =
let resticCfg = my.homelab.services.restic;
in {
inherit (resticCfg) environmentFile;
initialize = true;
repository = "${resticCfg.repositoryBase}/${config.networking.hostName}";
passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}";
paths = [
"/var/backup/matrix-conduit/conduit.db.zst"
"/var/lib/matrix-conduit/media"
];
timerConfig.OnCalendar = "*-*-* 4:05:00"; # daily at 04:05
backupPrepareCommand = ''
set -euo pipefail
umask 0077
f=$(mktemp)
services.restic.backups.matrix-conduit = {
environmentFile = secrets."restic/rest-env".path;
initialize = true;
repository =
"${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
passwordFile = secrets."restic/repo-password".path;
paths = [
"/var/backup/matrix-conduit/conduit.db.zst"
"/var/lib/matrix-conduit/media"
];
timerConfig.OnCalendar = "*-*-* 4:05:00"; # daily at 04:05
backupPrepareCommand = ''
set -euo pipefail
umask 0077
f=$(mktemp)
# consistency is provided by the internal locking of sqlite
${pkgs.sqlite}/bin/sqlite3 /var/lib/matrix-conduit/conduit.db ".backup $f"
${pkgs.zstd}/bin/zstd --compress -9 --rm --force \
-o /var/backup/matrix-conduit/conduit.db.zst $f
'';
backupCleanupCommand = my.mkResticBackupNotificationCmd {
name = "matrix-conduit";
inherit pkgs;
inherit (my.notifications.backup-bot) environmentFile;
};
# consistency is provided by the internal locking of sqlite
${pkgs.sqlite}/bin/sqlite3 /var/lib/matrix-conduit/conduit.db ".backup $f"
${pkgs.zstd}/bin/zstd --compress -9 --rm --force \
-o /var/backup/matrix-conduit/conduit.db.zst $f
'';
backupCleanupCommand = my.mkResticBackupNotificationCmd {
name = "matrix-conduit";
inherit pkgs secrets;
};
};
}

8
services/grafana.nix
View file

@ -1,6 +1,12 @@
{ config, my, pkgs, secrets, ... }:
{
sops.secrets."grafana/secret-key" = {
sopsFile = ../secrets/sops/grafana.yaml;
owner = "grafana";
restartUnits = [ "grafana.service" ];
};
services.grafana = {
enable = true;
declarativePlugins = with pkgs.grafanaPlugins; [ ];
@ -19,7 +25,7 @@
enforce_domain = true;
};
security = {
secret_key = "$__file{${secrets.grafana-secret-key.destination}}";
secret_key = "$__file{${secrets."grafana/secret-key".path}}";
disable_gravatar = true;
cookie_secure = true;
content_security_policy = true;

27
services/home-assistant.nix
View file

@ -1,7 +1,22 @@
{ my, pkgs, secrets, ... }:
let trimNewlines = builtins.replaceStrings [ "\n" ] [ "" ];
let
trimNewlines = builtins.replaceStrings [ "\n" ] [ "" ];
mosquittoSecret = {
sopsFile = ../secrets/sops/home-assistant.yaml;
owner = "mosquitto";
restartUnits = [ "mosquitto.service" ];
};
in {
# https://nixos.wiki/wiki/Home-assistant#OpenSSL_1.1_is_marked_as_insecure.2C_refusing_to_evaluate
nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
sops.secrets."home-assistant/automation-sshkey" = {
sopsFile = ../secrets/sops/home-assistant.yaml;
owner = "hass";
restartUnits = [ "home-assistant.service" ];
};
services.home-assistant = {
enable = true;
config = {
@ -41,7 +56,7 @@ in {
schedule = { };
shell_command.poweroff_zero = trimNewlines ''
${pkgs.openssh}/bin/ssh
-i ${secrets.automation-sshkey.destination}
-i ${secrets."home-assistant/automation-sshkey".path}
-o StrictHostKeyChecking=no
automation@zero poweroff
'';
@ -78,6 +93,9 @@ in {
systemd.services.home-assistant.after = [ "postgresql.service" ];
sops.secrets."mosquitto/home-assistant-password" = mosquittoSecret;
sops.secrets."mosquitto/tasmota-password" = mosquittoSecret;
services.mosquitto = {
enable = true;
listeners = [
@ -85,8 +103,7 @@ in {
address = "::1";
users.homeassistant = {
acl = [ "readwrite #" ];
hashedPasswordFile =
secrets.mosquitto-home-assistant-password.destination;
hashedPasswordFile = secrets."mosquitto/home-assistant-password".path;
};
}
{
@ -98,7 +115,7 @@ in {
];
users.tasmota = {
acl = [ "write tasmota/discovery/#" ];
hashedPasswordFile = secrets.mosquitto-tasmota-password.destination;
hashedPasswordFile = secrets."mosquitto/tasmota-password".path;
};
}
];

15
services/matrix-hookshot.nix
View file

@ -1,4 +1,4 @@
{ config, my, ... }:
{ config, secrets, ... }:
let
conduitCfg = config.services.matrix-conduit.settings.global;
@ -11,11 +11,20 @@ let
resources = [ "webhooks" ];
};
in {
sops.secrets = builtins.listToAttrs (map (n: {
name = "matrix-hookshot/${n}";
value = {
sopsFile = ../secrets/sops/matrix-hookshot.yaml;
owner = config.services.matrix-hookshot.user;
restartUnits = [ "matrix-hookshot.service" ];
};
}) [ "env" "passfile" ]);
services.matrix-hookshot = {
enable = true;
inherit (my.services.matrix-hookshot) environmentFile;
environmentFile = secrets."matrix-hookshot/env".path;
settings = {
inherit (my.services.matrix-hookshot) passFile;
passFile = secrets."matrix-hookshot/passfile".path;
bridge = {
domain = conduitCfg.server_name;
url = "http://[${conduitCfg.address}]:${toString conduitCfg.port}";

50
services/navidrome.nix
View file

@ -1,10 +1,16 @@
{ config, my, pkgs, secrets, ... }:
{
sops.secrets."navidrome/env" = {
sopsFile = ../secrets/sops/navidrome.yaml;
restartUnits = [ "navidrome.service" ];
};
services.navidrome = {
enable = true;
settings = {
Address = "[::1]";
BaseUrl = "https://music.${my.domain}";
FFmpegPath = "${pkgs.ffmpeg}/bin/ffmpeg";
ImageCacheSize = "500MB";
ScanSchedule = "@every 10m";
@ -13,29 +19,27 @@
};
systemd.services.navidrome.serviceConfig.EnvironmentFile =
[ secrets.navidrome-env.destination ];
[ secrets."navidrome/env".path ];
services.restic.backups.navidrome =
let resticCfg = my.homelab.services.restic;
in {
inherit (resticCfg) environmentFile;
initialize = true;
repository = "${resticCfg.repositoryBase}/${config.networking.hostName}";
passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}";
paths = [ "/var/backup/navidrome.sql.zst" ];
timerConfig.OnCalendar = "*-*-* 4:10:00"; # daily at 04:10
backupPrepareCommand = ''
set -euo pipefail
umask 0077
# consistency is provided by the internal locking of sqlite
${pkgs.sqlite}/bin/sqlite3 /var/lib/navidrome/navidrome.db .dump \
| ${pkgs.zstd}/bin/zstd --compress -9 \
>/var/backup/navidrome.sql.zst
'';
backupCleanupCommand = my.mkResticBackupNotificationCmd {
name = "navidrome";
inherit pkgs;
inherit (my.notifications.backup-bot) environmentFile;
};
services.restic.backups.navidrome = {
environmentFile = secrets."restic/rest-env".path;
initialize = true;
repository =
"${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
passwordFile = secrets."restic/repo-password".path;
paths = [ "/var/backup/navidrome.sql.zst" ];
timerConfig.OnCalendar = "*-*-* 4:10:00"; # daily at 04:10
backupPrepareCommand = ''
set -euo pipefail
umask 0077
# consistency is provided by the internal locking of sqlite
${pkgs.sqlite}/bin/sqlite3 /var/lib/navidrome/navidrome.db .dump \
| ${pkgs.zstd}/bin/zstd --compress -9 \
>/var/backup/navidrome.sql.zst
'';
backupCleanupCommand = my.mkResticBackupNotificationCmd {
name = "navidrome";
inherit pkgs secrets;
};
};
}

26
services/nginx.nix
View file

@ -1,6 +1,13 @@
{ config, pkgs, secrets, ... }:
{
sops.secrets."acme/token" = {
sopsFile = ../secrets/sops/acme.yaml;
owner = "acme";
inherit (config.security.acme.defaults) group;
mode = "0440";
};
services.nginx = {
enable = true;
enableReload = true;
@ -17,12 +24,19 @@
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme.acceptTerms = true;
security.acme.defaults = {
dnsProvider = "hetzner";
dnsResolver = "hydrogen.ns.hetzner.com:53";
reloadServices = [ "nginx" ];
environmentFile = secrets.hetzner-acme.destination;
security.acme = {
acceptTerms = true;
defaults = {
email = "contact@christoph-heiss.at";
dnsProvider = "hetzner";
dnsResolver = "hydrogen.ns.hetzner.com:53";
reloadServices = [ "nginx" ];
environmentFile = secrets."acme/token".path;
};
certs."c8h4.io" = {
domain = "*.c8h4.io";
extraDomainNames = [ "c8h4.io" ];
};
};
systemd.services.nginx = {

36
services/paperless.nix
View file

@ -1,4 +1,4 @@
{ config, lib, my, pkgs, ... }:
{ config, lib, my, pkgs, secrets, ... }:
let
paperlessEnv = config.services.paperless.settings;
@ -67,23 +67,21 @@ in {
users.users.paperless.extraGroups = [ "restic-backup" ];
services.restic.backups.paperless-media =
let resticCfg = my.homelab.services.restic;
in {
inherit (resticCfg) environmentFile;
initialize = true;
repository = "${resticCfg.repositoryBase}/${config.networking.hostName}";
passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}";
user = "paperless";
paths = [
"/var/lib/paperless/media/documents"
"/var/lib/paperless/classification_model.pickle"
];
timerConfig.OnCalendar = "*-*-* 4:00:00"; # daily at 04:00
backupCleanupCommand = my.mkResticBackupNotificationCmd {
name = "paperless-media";
inherit pkgs;
inherit (my.notifications.backup-bot) environmentFile;
};
services.restic.backups.paperless-media = {
environmentFile = secrets."restic/rest-env".path;
initialize = true;
repository =
"${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
passwordFile = secrets."restic/repo-password".path;
user = "paperless";
paths = [
"/var/lib/paperless/media/documents"
"/var/lib/paperless/classification_model.pickle"
];
timerConfig.OnCalendar = "*-*-* 4:00:00"; # daily at 04:00
backupCleanupCommand = my.mkResticBackupNotificationCmd {
name = "paperless-media";
inherit pkgs secrets;
};
};
}

30
services/postgresql.nix
View file

@ -1,4 +1,4 @@
{ config, lib, my, pkgs, ... }:
{ config, lib, my, pkgs, secrets, ... }:
{
services.postgresql = {
@ -17,20 +17,18 @@
users.users.postgres.extraGroups = [ "restic-backup" ];
services.restic.backups.postgresql-15 =
let resticCfg = my.homelab.services.restic;
in {
inherit (resticCfg) environmentFile;
initialize = true;
repository = "${resticCfg.repositoryBase}/${config.networking.hostName}";
passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}";
user = "postgres";
paths = [ "/var/backup/postgresql/all.sql.zstd" ];
timerConfig.OnCalendar = "*-*-* 4:30:00"; # daily at 04:30
backupCleanupCommand = my.mkResticBackupNotificationCmd {
name = "postgresql-15";
inherit pkgs;
inherit (my.notifications.backup-bot) environmentFile;
};
services.restic.backups.postgresql-15 = {
environmentFile = secrets."restic/rest-env".path;
initialize = true;
repository =
"${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
passwordFile = secrets."restic/repo-password".path;
user = "postgres";
paths = [ "/var/backup/postgresql/all.sql.zstd" ];
timerConfig.OnCalendar = "*-*-* 4:30:00"; # daily at 04:30
backupCleanupCommand = my.mkResticBackupNotificationCmd {
name = "postgresql-15";
inherit pkgs secrets;
};
};
}

2
services/prometheus.nix
View file

@ -43,7 +43,7 @@
scrape_interval = "60s";
metrics_path = "/api/prometheus";
authorization.credentials_file =
secrets.homeassistant-prometheus-token.destination;
secrets."home-assistant/prometheus-token".path;
static_configs = [{
targets = [ "tank:${toString my.services.home-assistant.port}" ];
}];

12
services/restic-client.nix Normal file
View file

@ -0,0 +1,12 @@
{
sops.secrets = builtins.listToAttrs (map (n: {
name = "restic/${n}";
value = {
sopsFile = ../secrets/sops/restic.yaml;
group = "restic-backup";
mode = "0440";
};
}) [ "rest-env" "backup-bot-env" ]);
users.groups.restic-backup = { };
}

82
services/sourcehut.nix
View file

@ -1,13 +1,37 @@
{ config, my, pkgs, ... }:
{ config, my, pkgs, secrets, ... }:
let
secretsPath = "/var/secrets/sourcehut";
inherit (my) domain;
fqdn = "srht.${domain}";
inherit (import ../sources.nix) sourcehutPkgs;
srhtServices = [
"metasrht"
"metasrht-api"
"metasrht-daily"
"metasrht-webhooks"
"gitsrht"
"gitsrht-api"
"gitsrht-periodic"
"gitsrht-webhooks"
];
secretNames = [
"network-key"
"service-key"
"oauth-client-secret"
"webhooks-privkey"
"pgp-pubkey"
"pgp-privkey"
];
in {
disabledModules = [ "services/misc/sourcehut" ];
imports = [ (sourcehutPkgs + /nixos/modules/services/misc/sourcehut) ];
sops.secrets = builtins.listToAttrs (map (n: {
name = "sourcehut/${n}";
value = {
sopsFile = ../secrets/sops/sourcehut.yaml;
owner = "root";
group = "sourcehut";
mode = "0440";
restartUnits = map (srv: "${srv}.service") srhtServices;
};
}) secretNames);
services.sourcehut = {
enable = true;
@ -34,8 +58,8 @@ in {
global-domain = fqdn;
owner-name = "Christoph Heiss";
owner-email = "christoph@c8h4.io";
network-key = "${secretsPath}/network-key";
service-key = "${secretsPath}/service-key";
network-key = secrets."sourcehut/network-key".path;
service-key = secrets."sourcehut/service-key".path;
};
"meta.sr.ht".origin = "https://meta.${fqdn}";
@ -47,7 +71,7 @@ in {
"git.sr.ht" = {
oauth-client-id = fqdn;
oauth-client-secret = "${secretsPath}/oauth-client-secret";
oauth-client-secret = secrets."sourcehut/oauth-client-secret".path;
outgoing-domain = "https://git.${fqdn}";
origin = "https://git.${fqdn}";
};
@ -55,56 +79,48 @@ in {
mail = {
smtp-from = "srht@c8h4.io";
pgp-key-id = "6C28803321A0F6C53B78A2AF3D84AB70408524DD";
pgp-pubkey = "${secretsPath}/pgp-pubkey";
pgp-privkey = "${secretsPath}/pgp-privkey";
pgp-pubkey = secrets."sourcehut/pgp-pubkey".path;
pgp-privkey = secrets."sourcehut/pgp-privkey".path;
};
webhooks.private-key = "${secretsPath}/webhooks-private-key";
webhooks.private-key = secrets."sourcehut/webhooks-privkey".path;
};
};
security.acme.certs."c8h4.io".extraDomainNames = [ "*.${fqdn}" ];
# Binds the sourcehut secrets path read-only into services that require them
systemd.services = let
services = [
"metasrht"
"metasrht-api"
"metasrht-daily"
"metasrht-webhooks"
"gitsrht"
"gitsrht-api"
"gitsrht-periodic"
"gitsrht-webhooks"
];
in builtins.listToAttrs (map (name: {
systemd.services = builtins.listToAttrs (map (name: {
inherit name;
value.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
}) services);
value.serviceConfig.BindReadOnlyPaths =
map (n: secrets."sourcehut/${n}".path) secretNames;
}) srhtServices);
services.openssh.settings.AllowUsers = [ "git" ];
users.groups.sourcehut = { };
users.users = {
git = {
# Disable login for `git` user
password = "*";
extraGroups = [ "restic-backup" ];
extraGroups = [ "restic-backup" "sourcehut" ];
};
metasrht.extraGroups = [ "sourcehut" ];
};
services.restic.backups.gitsrht = let resticCfg = my.homelab.services.restic;
in {
inherit (resticCfg) environmentFile;
services.restic.backups.gitsrht = {
environmentFile = secrets."restic/rest-env".path;
initialize = true;
repository = "${resticCfg.repositoryBase}/${config.networking.hostName}";
passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}";
repository =
"${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
passwordFile = secrets."restic/repo-password".path;
user = "git";
paths = [ "/var/lib/sourcehut/gitsrht" ];
timerConfig.OnCalendar = "*-*-* 4:15:00"; # daily at 04:15
backupCleanupCommand = my.mkResticBackupNotificationCmd {
name = "gitsrht";
inherit pkgs;
inherit (my.notifications.backup-bot) environmentFile;
inherit pkgs secrets;
};
};
}

10
services/vaultwarden.nix
View file

@ -1,12 +1,18 @@
{ lib, my, secrets, ... }:
{
sops.secrets."vaultwarden/env" = {
sopsFile = ../secrets/sops/vaultwarden.yaml;
owner = "vaultwarden";
restartUnits = [ "vaultwarden.service" ];
};
services.vaultwarden = {
enable = true;
environmentFile = secrets.vaultwarden-env.destination;
environmentFile = secrets."vaultwarden/env".path;
dbBackend = "postgresql";
config = {
DOMAIN = "https://vaultwarden.${my.domain}";
DOMAIN = "https://vault.${my.domain}";
DATA_FOLDER = "/var/lib/vaultwarden";
DATABASE_URL = "postgresql:///vaultwarden";
SIGNUPS_ALLOWED = false;

33
sources.nix
View file

@ -1,33 +0,0 @@
let
sourcehutPkgs = fetchGit {
name = "nixpkgs-sourcehut-updated";
url = "https://github.com/christoph-heiss/nixpkgs";
ref = "refs/heads/sourcehut-fix";
rev = "6729c6c653f17a5f9f1dcf5439d3e98652406042";
};
in {
defaultPkgs = fetchGit {
name = "nixos-unstable";
url = "https://github.com/NixOS/nixpkgs";
ref = "refs/heads/nixos-unstable";
rev = "bdeca2c42d6c16adc216ffb87bbe27ebebbd5705"; # 31-03-2024
};
homeManager = fetchGit {
name = "nixos-home-manager-unstable";
url = "https://github.com/nix-community/home-manager";
ref = "refs/heads/master";
rev = "820be197ccf3adaad9a8856ef255c13b6cc561a6"; # 31-03-2024
};
inherit sourcehutPkgs;
overlays = [
(import ./pkgs)
(self: super: {
vimPlugins = super.vimPlugins
// (import ./pkgs/vim-plugins.nix self super);
})
(_: _: { inherit (import sourcehutPkgs { }) sourcehut; })
];
}

10
system/home-manager/default.nix
View file

@ -1,9 +1 @@
let inherit (import ../../sources.nix) homeManager;
in {
imports = [ (import "${homeManager}/nixos") ];
home-manager.useUserPackages = true;
home-manager.useGlobalPkgs = true;
home-manager.users.christoph.imports = [ ./common.nix ];
}
{ home-manager.users.christoph.imports = [ ./common.nix ]; }

9
system/home-manager/sway.nix
View file

@ -1,8 +1,6 @@
{ config, lib, pkgs, ... }:
let
backgroundImgPath = "~/.local/share/sway/background.jpg";
setSinkVolume = pkgs.writeShellApplication {
name = "set-sink-volume";
runtimeInputs = with pkgs; [ bc jq pulseaudio ];
@ -174,7 +172,8 @@ in {
repeat_delay = "150";
repeat_rate = "50";
};
output."*".background = "${backgroundImgPath} fill #5fb2d0";
output."*".background =
"${pkgs.sway-background-image}/share/background.jpg fill #5fb2d0";
seat."*" = { hide_cursor = "when-typing enable"; };
left = "d";
down = "h";
@ -192,8 +191,6 @@ in {
'';
};
xdg.dataFile."sway/background.jpg".source = ../../extra/sway/background.jpg;
services.swayidle = {
enable = true;
events = [{
@ -218,7 +215,7 @@ in {
settings = {
daemonize = true;
ignore-empty-password = true;
image = backgroundImgPath;
image = "${pkgs.sway-background-image}/share/background.jpg";
scaling = "fill";
show-keyboard-layout = true;
};